Application Security Security Bloggers Network

Home » Cybersecurity » Application Security » React2Shell: RCE Vulnerabilities Require Immediate Attention

React2Shell: RCE Vulnerabilities Require Immediate Attention

by Ilkka Turunen on December 4, 2025

CVE-2025-55182 and CVE-2025-66478 — Critical Deserialization RCE in React Server Components

As reported by React and Next.js and titled react2shell, a new unauthenticated remote-code-execution vulnerability has been disclosed in React Server Components.

CVE-2025-55182 and CVE-2025-66478 carry a Critical CVSS score, the highest category, due to their trivial exploitability and the ubiquity of React in modern web applications. Sonatype customers will have received automated notifications of any applications containing these components through continuous monitoring.

Like Log4Shell, this is fundamentally a deserialization-of-untrusted-data flaw. React’s server-side request decoding logic unsafely deserializes attacker-controlled inputs. This allows arbitrary code execution in applications using React Server Components, even if the application doesn’t explicitly expose Server Function endpoints.

Given the enormous global footprint of React and Next.js (the collective weekly download volume according to npmjs is nearly 1B/week), and the increasing adoption of server-side React patterns, the scope of this RCE vulnerability is significant.

The React2Shell Vulnerability Explained

The vulnerable React packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) perform unsafe property access when reconstructing server function metadata. Versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, as well as many canary, rc, and experimental versions, are affected. Next.js versions ≥14.3.0-canary.77, < 14.3.0-canary.88, 15.x, and 16.x are affected.

Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components.

A crafted HTTP payload can inject metadata pointing to dangerous prototype-chain properties. When React resolves the server function call, the deserializer exposes access to bundled modules. This turns a single HTTP request into full RCE with no authentication and no user interaction required.

Are You Affected?

You are affected if you use any of the following vulnerable packages:

Package

(Read more...)

*** This is a Security Bloggers Network syndicated blog from 2024 Sonatype Blog authored by Ilkka Turunen. Read the original post at: https://www.sonatype.com/blog/react2shell-rce-vulnerabilities-require-immediate-attention

December 4, 2025May 6, 2026 Ilkka Turunen CVE, CVSS, Remote Code Execution, Security Research, Supply Chain Attacks, vulnerability

React2Shell: RCE Vulnerabilities Require Immediate Attention

CVE-2025-55182 and CVE-2025-66478 — Critical Deserialization RCE in React Server Components

The React2Shell Vulnerability Explained

Are You Affected?

Senator Sanders Wants to Own AI Companies — and Hand America’s Adversaries the Keys

NIST’s Nine: The PQC Signature Race Moves to Round Three

The Quantum Arms Race: Why Washington Just Wrote a $2 Billion Check to Nine Companies

Beyond Moore’s Law: The Hyper-Acceleration of Autonomous AI Cyber Capabilities

The Exception Economy: When Security Teams Stop Protecting and Start Negotiating

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Randall Munroe’s XKCD ‘Europa Missions’