React2Shell: Remote Code Execution Vulnerability (CVE-2025-55182)

Introduction

On December 3, 2025, Meta and Vercel disclosed CVE-2025-55182, a critical vulnerability in React Server Components (RSC) with the maximum CVSS score of 10.0. This flaw allows unauthenticated remote code execution (RCE) on impacted servers. Dubbed React2Shell, this vulnerability exploits the Flight protocol used in RSC and can be triggered by a malicious HTTP POST request. Even applications with default React configurations are impacted. 

Since this disclosure, over 4,100 exploitation attempts have been observed within the first two hours, including attacks by a China-based threat actor. Zscaler ThreatLabz recommends treating CVE-2025-55182 as a priority to prevent potential exploitation. Zscaler customers using Zscaler Deception technology had observed exploitation attempts within their perimeter-facing decoy applications, which enabled them to take immediate and proactive measures to mitigate this threat.

ANALYST NOTE: Initially, a second vulnerability (CVE-2025-66478) was assigned to Next.js, but it has since been rejected as a CVE due to being a duplicate of CVE-2025-55182 upon further review.

Recommendations

Administrators of applications built with React and Next.js are strongly urged to take the following actions: 

• Update to the latest stable versions of React (19.0.1, 19.1.2, and 19.2.1) and the corresponding Next.js version. 
• Verify dependency resolution by thoroughly reviewing package-lock.json or yarn.lock to ensure react-server-dom-* packages are updated to their patched version. And use npm ci, or equivalent, commands to ensure reproducible builds with fixed versions.
• After verifying dependencies, follow the steps below to rebuild and redeploy: 
  • Clear all caches: npm cache clean --force.
  • Remove node_modules: rm -rf node_modules.
  • Perform a clean install: Use npm ci (preferred) or npm install.
  • Rebuild the application completely.
  • Deploy updates to all affected environments immediately.
• Monitor for suspicious activity such as unexpected child processes spawned by Node.js, unauthorized shell commands, and anomalous outbound connections.
• Deploy runtime protections using Runtime Application Self-Protection (RASP) or Cloud Workload Protection Platforms (CWPP) solutions to detect and block unauthorized process execution.
• Enable Web Application Firewall (WAF) rules as a temporary measure while patching, but do not rely on them as a permanent solution.
• Conduct security audits of applications using React Server Components (RSC) to identify all impacted instances, prioritizing public-facing services.
• Implement process monitoring to trigger alerts for any spawning of shell processes (e.g., bash, sh, cmd.exe, powershell.exe) originating from the application runtime.
• Scan for indicators of compromise such as web shells, modified files in application directories, and unusual network traffic patterns. 

Affected Versions

React vulnerability (CVE-2025-55182)

CVE-2025-55182 impacts the following packages:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

The table below lists the impacted versions of these React packages along with their respective patched versions.

Table 1: Table of impacted react-server-dom* package versions and their corresponding patched versions.

Next.js

Next.js, a widely-used web development framework built on React, was initially reported as being impacted by the React2Shell vulnerability and assigned CVE-2025-66478. However, after further review, this CVE was rejected. Despite this, certain versions of Next.js were identified as being indirectly affected due to their use of React components that rely on the Flight protocol.

Stable versions of Next.js 13.x and 14.x, as well as Pages Router applications and the Edge Runtime, remain unaffected. The table below lists impacted Next.js versions and their corresponding fixed versions.

Table 2: Impacted Next.js versions and their corresponding patched versions.

Technical Analysis

CVE-2025-55182 was linked to the Flight protocol within RSC, a mechanism in React 19 responsible for handling data serialization and deserialization between the server and client. A server-side weakness in the deserialization process was discovered, allowing attackers to execute arbitrary JavaScript code on a React server by sending a crafted HTTP POST request, requiring no authentication. This exploit targets the server-side deserialization process in RSC, where serialized data within multipart/form-data is trusted without proper validation. By manipulating this data, attackers leverage prototype chain traversal to reference and execute exports outside the original object.

The figure below shows the attack flow for CVE-2025-55182.

Figure 1: Diagram illustrating the attack flow for CVE-2025-55182.

The root cause of CVE-2025-55182 is a flaw in the getOutlinedModel function, which is susceptible to a type of JavaScript security issue known as prototype chain exploitation. 

Prototype chain exploitation occurs when attackers take advantage of how JavaScript objects inherit properties and methods from their prototypes. In this specific case, by crafting malicious input with keywords like __proto__, constructor, and prototype, attackers are able to execute arbitrary JavaScript code.

The patched version resolves this issue by ensuring that only properties belonging to the actual object are accessed. This is done by adding a safeguard using hasOwnProperty checks before property lookups.

The code below illustrates the vulnerable code in the getOutlinedModel function and the implemented patch.

Conclusion

CVE-2025-55182 poses a significant threat to organizations using React and, by extension, certain implementations of Next.js. Zscaler ThreatLabz strongly recommends that organizations prioritize applying patches immediately to mitigate risks associated with the React2Shell vulnerability.

Zscaler Coverage

The Zscaler ThreatLabz team has deployed protection for CVE-2025-55182.

Zscaler Private Access AppProtection

• 6000412 - React Server Remote Code Execution (CVE-2025-55182)