React2Shell: The Critical RCE Threat Rocking Web Apps Worldwide

Listen to this Post

Featured Image
The security world woke up to a nightmare this week. A newly disclosed flaw named React2Shell — officially tracked as CVE-2025-55182 — has triggered alarm across developers and cloud operators. This is not just any bug: it’s a maximum‑severity remote code execution (RCE) vulnerability in React Server Components (RSC) that, when exploited, allows unauthenticated attackers to execute arbitrary code on affected servers. Immediately after disclosure, attackers began weaponizing it at scale, hitting a growing number of public‑facing web apps — including those built with the popular Next.js framework.

🚨 What Happened: the Original News

On December 3, 2025, the React team publicly disclosed CVE‑2025-55182, revealing that the default implementation of React Server Components suffers from a critical deserialization flaw in the “Flight” protocol. Any HTTP request carrying a crafted payload could trick the server into executing malicious code.

React

+2

wiz.io

+2

The issue is not limited to React itself: many downstream frameworks and bundlers—including Next.js, React Router (in RSC mode), Waku, Parcel RSC, Vite RSC, and others—are also vulnerable if they rely on the affected React RSC packages.

Sysdig

+2

Unit 42

+2

For React: versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of the packages react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack are affected. Fixed releases are already available: 19.0.1, 19.1.2, and 19.2.1.

React

+2

NVD

+2

For Next.js: vulnerable are versions 15.x, 16.x (App Router), and certain 14.x canaries. Patches have been released: e.g. Next.js 15.0.5, 15.1.9, … up to 16.0.7.

Next.js

+2

Vercel

+2

The severity rating is the maximum possible: CVSS 10.0.

React

+2

Datadog Security Labs

+2

Exploitation in the wild began almost immediately. Automated scanners started probing for the flaw; within hours and days, attackers shifted to hands‑on exploitation: cryptomining, credential theft, backdoors, and even advanced persistent threats (APT) tied to nation‑state actors.

SOC Prime

+3

Cyble

+3

BleepingComputer

+3

Over 77,000 internet‑exposed IP addresses are already confirmed vulnerable, and more than 30 organizations across sectors reported compromises.

BleepingComputer

+2

Cyble

+2

In response, major security agencies such as Cybersecurity and Infrastructure Security Agency (CISA) added React2Shell to their Known Exploited Vulnerabilities (KEV) list — a clear signal that patched versions should be deployed immediately.

Cyber Security News

+1

In short: a default‑configuration React app, or a Next.js app built with RSC, could be catastrophically compromised by a single malicious HTTP request. The risk is immediate, indiscriminate, and extremely widespread.

What Undercode Say:

The emergence of React2Shell is a deeply unsettling reminder of how fragile even modern, battle‑tested web ecosystems can be. React and Next.js — backbone technologies for innumerable websites and apps — are almost ubiquitous. By hitting the Flight protocol at its core, attackers have unlocked what security teams dread most: unauthenticated, pre‑auth remote code execution affecting default deployments.

React Server Components promised performance gains and server‑side rendering flexibility. But that very promise entailed shipping serialization/deserialization logic that now reveals itself as a dangerous attack surface. The fact that the vulnerability affects standard installs — no special config, no exotic plugins — makes mitigation significantly harder. Many organizations may have deployed React or Next.js without fully appreciating their backend attack surface; today, they’re learning the hard way.

What makes React2Shell even more dangerous: the speed and volume of exploitation. Public proof‑of-concept (PoC) code appeared within days. Attackers leveraged automated tools first, scanning tens of thousands of IPs, then manually pivoting to more destructive payloads: cryptominers, cloud backdoor implants, credential stealers, even APT‑style footholds tied to China‑nexus groups.

Dark Reading

+3

Cyble

+3

BleepingComputer

+3

This wave of attacks underscores a pattern that’s been creeping across the software supply chain: as frameworks become more abstract and repositories more automated, a single failure deep in a core library or protocol can cascade uncontrollably. With React used by a huge portion of modern web infrastructure, the blast radius of React2Shell may reach millions of applications, including critical enterprise and cloud workloads.

OX Security

+2

Dynatrace

+2

We’re witnessing a paradigm shift: no longer are only complex, multi‑stage attacks the concern — now, a one‑line HTTP request from an unauthenticated attacker can compromise servers. For many organizations, this vulnerability will force a hard reckoning: audit dependencies, revisit deployment assumptions, and bake security into every layer, not just at the perimeter.

On a strategic level, React2Shell should push tech companies to reckon with the hidden risks of convenience features like server‑side components and built‑in serialization protocols. The balance between developer productivity and security must be re‑evaluated — and much closer scrutiny placed on dependencies that seem trivial or “default.”

For defenders, the path forward is clear: upgrade immediately, rotate secrets if systems were exposed, monitor for unusual activity (especially access patterns around HTTP payloads), and consider additional runtime protections or behavior‑monitoring solutions.

React2Shell may be the spark, but without swift, widespread action, the resulting wildfire could consume large swathes of web infrastructure.

Fact Checker Results

✅ CVE‑2025-55182 indeed allows unauthenticated remote code execution via unsafe deserialization in React Server Components.

React

+2

NVD

+2

✅ The flaw impacts React 19.x packages (react-server-dom-webpack, -parcel, -turbopack) and downstream frameworks like Next.js when using RSC/App Router.

Sysdig

+2

Unit 42

+2

✅ Public and in‑the‑wild exploitation has been confirmed: attackers have already compromised dozens of organizations and tens of thousands of IPs.

Dark Reading

+3

BleepingComputer

+3

Cyble

+3

Prediction

Expect the fallout from React2Shell to reverberate throughout 2026. Many smaller websites — especially those using default Next.js templates — are likely to remain unpatched, becoming fodder for automated exploit scanners, cryptomining farms, and backdoor installations. As defenders scramble to patch, attackers will shift tactics: we may soon see larger-scale intrusions, cloud‑native attacks targeting container infrastructure, and more aggressive campaigns aimed at persistence and ransomware deployment. Without rapid, universal patch adoption, the vulnerability could reshape threat landscapes for cloud workloads worldwide. 🔥

More about React2Shell and its impact

wiz.io

React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182

Today

BleepingComputer

React2Shell flaw exploited to breach 30 orgs, 77k IP addresses vulnerable

Yesterday

Cyble

React2Shell: Rapid CVE-2025-55182 Exploitation Exposed

Today

Dark Reading

Exploitation Activity Ramps Up Against React2Shell

Today

Cyber Security News

CISA Adds Critical React2Shell Flaw to KEV Catalog After Active Exploitation

Today

SOC Prime

React2Shell Vulnerability: Maximum-Severity Flaw in React Server Components Actively Exploited by China-Backed Groups

2 days ago

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon