Critical React and Next.js RCE Vulnerability: Analysis of CVE-2025-55182 and CVE-2025-66478

On December 3, 2025, the React and Next.js ecosystems were alerted to a maximum-severity vulnerability enabling unauthenticated remote code execution (RCE) on servers. Dubbed “React2shell,” the flaw resides in the React Server Components (RSC) Flight protocol and affects a significant portion of modern web applications. Security researchers have characterized the vulnerability as a “master key exploit” with a near 100% success rate in testing, posing an immediate and widespread threat^[6].

The core of the issue is an insecure deserialization process within the React Flight protocol, specifically a case of “logical deserialization.” When malformed payloads are sent to React Server Function endpoints, the system processes them unsafely, allowing attacker-controlled data to influence server-side execution^[1]. This vulnerability, tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js, carries a CVSS score of 10.0. An attacker needs only to send a crafted HTTP request to any exposed Server Function endpoint; no authentication or special configuration is required, making default deployments vulnerable^[2].

Technical Breakdown and Affected Scope

The vulnerability is not in the React library itself but in the server-side rendering infrastructure that supports React Server Components. The affected packages are those responsible for handling the Flight protocol, which serializes and deserializes data between server and client. Specifically, the `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` packages in React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 are vulnerable. Patches are available in versions 19.0.1, 19.1.2, and 19.2.1^[1].

For Next.js, the App Router in versions greater than or equal to 14.3.0-canary.77, 15, and 16 are affected. The patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5^[3]. The impact extends beyond these core libraries. Any framework or bundler that implements RSC is likely affected, including React Router (RSC preview), Waku, the Vite RSC plugin, the Parcel RSC plugin, and RedwoodJS^[5]. It is critical to note that applications that do not use a server (static React sites) or do not use a framework supporting React Server Components are not affected.

Discovery, Response, and Risk Assessment

Researcher Lachlan Davidson reported the vulnerability via the Meta Bug Bounty program on November 29, 2025. Meta security confirmed the report within a day, and coordinated patches were developed and released with major hosting providers and frameworks by December 3^[1]. The public disclosure was made simultaneously by the React Team and Vercel security advisories.

The scale of the threat is substantial. Research from Wiz indicates that 39% of cloud environments contain vulnerable instances^[4]. Palo Alto Networks Unit 42 identified over 968,000 servers running exposed React/Next.js frameworks^[6]. The attack vector is purely network-based over HTTP, and security firms like Endor Labs, Miggo Security, and VulnCheck emphasize the flaw is weaponizable without requiring login credentials. Experts warn that exploitation is “imminent,” given the ease of attack and the vast attack surface^[6].

Mitigation and Actionable Steps

The primary and most critical action is immediate patching. Organizations must upgrade their React and Next.js dependencies to the patched versions listed above. Verification can be performed using package manager commands; for example, `npm list react` and `npm list next` will display the currently installed versions. Dependency scanning tools should be configured to flag the vulnerable versions.

If immediate patching is not possible, temporary defensive measures should be deployed. Web Application Firewall (WAF) rules specifically designed to block exploitation attempts for this CVE are available; Cloudflare has already deployed such rules for its customers^[7]. Network monitoring should be increased for anomalous HTTP traffic directed at Server Function endpoints, and consideration should be given to restricting network access to affected applications until they can be patched. System administrators and security teams should review logs for any signs of attempted exploitation, particularly malformed POST requests to RSC endpoints.

Conclusion

The React2shell vulnerability represents a critical threat to a large segment of the modern web application landscape. Its maximum severity score, ease of exploitation, and widespread prevalence demand urgent attention from development and security teams. The coordinated disclosure and rapid patch release provide a clear path to remediation. The incident highlights the security risks inherent in complex data serialization protocols and serves as a reminder that even foundational frameworks maintained by major organizations can contain severe flaws. Proactive patching and vigilant monitoring are the only effective responses to such a pervasive and easily weaponized vulnerability.

References

1. The React Team. (2025, December 3). Critical Security Vulnerability in React Server Components. React Dev Blog. https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
2. Lakshmanan, R. (2025, December 3). Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution. The Hacker News. https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html
3. Vercel Security Advisory. (2025, December 3). CVE-2025-66478. GitHub. https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
4. Wiz Research. (2025, December 3). Critical Vulnerability in React (CVE-2025-55182). Wiz.io Blog. https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
5. StepSecurity. (2025, December 3). Critical Remote Code Execution Vulnerabilities Discovered in React Server Components and Next.js. https://www.stepsecurity.io/blog/critical-remote-code-execution-vulnerabilities-discovered-in-react-server-components-and-next-js
6. Lyons, J. (2025, December 3). ‘Exploitation is imminent’ as 39 percent of cloud environs have max-severity React hole. The Register. https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/
7. CyberNews. (2025, December 4). “Worst case scenario” vulnerability found in React, Next.js. https://cybernews.com/security/massive-security-flaw-affects-react-nextjs/