CVE-2025-55182: Critical React RCE Vulnerability — Is Your Next.js App Already Hacked?

CVE-2025-55182, nicknamed "React2Shell" by security researchers, is a critical remote code execution (RCE) vulnerability discovered in React Server Components' "Flight" protocol. The vulnerability stems from insecure deserialization in how RSC payloads are processed on servers. This flaw allows an unauthenticated attacker to execute arbitrary JavaScript code on your server by simply sending a specially crafted HTTP request. No authentication required. No user interaction needed. Just one malicious request, and your server is compromised.

The vulnerability exploits unsafe handling of specially crafted, malformed RSC payloads. When a server receives such a payload, it fails to validate the structure correctly, allowing attacker-controlled data to influence server-side execution logic. The attack flow is straightforward: 1. Attacker sends a malformed RSC payload via HTTP POST request 2. Server deserializes the payload without proper validation 3. Attacker-controlled code executes with server privileges 4. Full server compromise achieved What makes this particularly dangerous is that default configurations of create-next-app are vulnerable. If you deployed a Next.js app with App Router in the last year, you're likely at risk.

CVSS Score: 9.8 (Critical) The impact of this vulnerability cannot be overstated: • Unauthenticated RCE: Attackers need only send a crafted HTTP request • Default configurations vulnerable: Standard create-next-app deployments are at risk • Near 100% reliability: Testing showed highly consistent exploitation success • Active exploitation: Real-world attacks began December 5, 2025 Security researchers at Wiz observed active exploitation campaigns including: - Credential harvesting from environment variables - Cryptomining payloads being deployed - Reverse shell installations for persistent access - Data exfiltration attempts

React packages (react-server-dom-webpack, react-server-dom-parcel, etc.): • 19.0.0 (all builds) • 19.1.0, 19.1.1 • 19.2.0 Next.js (with App Router enabled): • 14.3.0-canary.77 and later canary releases • 15.0.0 through 15.0.4 • 15.1.0 through 15.1.8 • 15.2.0 through 15.2.5 • 15.3.0 through 15.3.5 • 15.4.0 through 15.4.7 • 15.5.0 through 15.5.6 • 16.0.0 through 16.0.6 Other affected frameworks: • Vite RSC plugin • Parcel RSC • React Router (with RSC) • RedwoodSDK • Waku

Immediate patching is the only definitive mitigation. Upgrade to these patched versions: React: • 19.0.1 • 19.1.2 • 19.2.1 Next.js: • 14.x stable (not affected) • 15.0.5 • 15.1.9 • 15.2.6 • 15.3.6 • 15.4.8 • 15.5.7 • 16.0.8 To update, run:

# For npm
npm update react react-dom next

# For yarn
yarn upgrade react react-dom next

# For pnpm
pnpm update react react-dom next

# Verify your versions
npm list react next

Run these commands to check your current versions:

# Check React version
npm list react

# Check Next.js version
npm list next

# Check if you're using App Router
# Look for 'app' directory in your project root

If you're running any of the affected versions listed above and using App Router (the 'app' directory), you are vulnerable and should patch immediately. TEPTEZ can automatically scan your applications for this and other CVE vulnerabilities. Our platform detects vulnerable dependencies and provides actionable remediation guidance.

• November 2025: Vulnerability discovered by security researchers • December 2, 2025: React team notified • December 3, 2025: Official advisory published by React team • December 4, 2025: Patches released for all affected versions • December 5, 2025: Active exploitation detected in the wild • December 6, 2025: Wiz publishes detailed technical analysis