- react
- nextjs
- rce
- cve
- deserialization
news
React2Shell RCE in React Server Components (CVE-2025-55182)
Critical CVSS 10.0 RCE in react-server-dom-webpack affects React 19 and Next.js App Router; public PoC scanner indexed on Sploitus.
Summary
CVE-2025-55182, branded React2Shell in the indexed PoC, is a critical remote code execution flaw in React Server Components deserialization (react-server-dom-webpack). An unauthenticated attacker can inject malicious payloads into React Server Actions and reach the JavaScript Function constructor, executing arbitrary system commands on the server. A bulk scanner PoC is indexed on Sploitus.
This article is educational coverage of publicly indexed research. OFFSITE.DARK did not publish the exploit; Sploitus is the cited index source.
Technical Details
React 19 introduced Server Components and the Flight wire format for serializing server/client boundaries. The vulnerability lies in unsafe deserialization of attacker-controlled Flight payloads submitted to Server Action endpoints.
| Package | Affected versions | Fixed |
|---|---|---|
react-server-dom-webpack | 19.0.0 – 19.2.0 | 19.2.1+ |
| Next.js 13.4.x | pre-14.2.35 | 14.2.35+ |
| Next.js 14.x | pre-14.2.35 | 14.2.35+ |
| Next.js 15.x | pre-15.5.9 | 15.5.9+ |
The indexed PoC (react2shell.js) sends crafted requests to App Router endpoints and checks for command execution via a benign whoami probe:
node react2shell.js http://localhost:3000
Vulnerable hosts return output such as VULNERABLE | Output: 0:"SUCCESS: root". Patched or non-RSC deployments return 404 or reject the payload.
Attack prerequisites: Network access to a Next.js App Router (or other RSC) deployment using vulnerable react-server-dom-webpack versions. No authentication required.
CVE
| Field | Value |
|---|---|
| CVE | CVE-2025-55182 |
| CVSS | 10.0 (Critical) |
| CWE | CWE-502 — Deserialization of Untrusted Data |
| Vector | Network, no auth, no user interaction |
| Sploitus date | 2025-12-13 |
Impact
Remote code execution as the Node.js process user running the web application — typically www-data, node, or a container UID with access to application secrets, environment variables, and internal network routes. Because Next.js and React power a large share of modern SaaS frontends, mass scanning with indexed PoCs poses immediate risk to unpatched production deployments.
Mitigation
- Upgrade immediately:
react-server-dom-webpack→ 19.2.1+- Next.js 14 → 14.2.35+; Next.js 15 → 15.5.9+
- Verify dependency trees — frameworks like Waku and Remix may transitively pull vulnerable RSC packages.
- WAF/rate-limit POST traffic to Server Action endpoints while patching; this is a temporary measure, not a substitute for upgrades.
- Run Node workers as unprivileged users with minimal filesystem write access and no cloud metadata credentials in environment.
Sources
- Sploitus — React deserialization CVE-2025-55182 (index source)
- GitHub — React-Security-CVE-2025-55182-Exploit (upstream PoC referenced by Sploitus)