Menu
Dark Mode

React2Shell (CVE-2025-55182): Critical RCE Vulnerability Exposes Over 77,000 Servers Worldwide

A critical React2Shell vulnerability (CVE-2025-55182) affects React Server Components and Next.js, allowing unauthenticated remote code execution across more than 77,000 exposed servers worldwide.

Evan Mael
Evan Mael Author
Dec 07, 2025
3 min read min read
Published December 07, 2025
Reading time 3 min read minutes

Introduction

A major vulnerability known as React2Shell (CVE-2025-55182) is shaking the web development world in December 2025. The flaw affects React Server Components (RSC) and frameworks such as Next.js, allowing unauthenticated remote code execution through a single crafted HTTP request.

According to security researchers, more than 77,000 internet-exposed servers are vulnerable, including over 4,700 in France alone. This makes React2Shell one of the most severe web application vulnerabilities since Log4Shell.

What Is React2Shell?

The issue, officially tracked as CVE-2025-55182, was disclosed on December 3, 2025, by React’s maintainers. It originates in the “Flight” protocol used by React Server Components to communicate between the client and the backend. A malicious payload can exploit this mechanism to execute arbitrary commands on the server without authentication.

The problem is that the vulnerability exists by default, even in standard configurations of React and Next.js. Many developers running recent boilerplates or production builds are likely exposed without realizing it.

Affected Versions and Global Impact

React versions 19.0 to 19.2.0 and Next.js 15.x–16.x using the App Router are confirmed vulnerable. Other frameworks built upon RSC, such as RedwoodJS, Expo, or Waku, may also be affected.

In France, the cybersecurity agency CERT-FR has issued an alert noting thousands of exposed systems, while cloud security firm Wiz Research reports that nearly 40% of cloud environments may contain unpatched instances.

Globally, researchers have identified over 77,000 IP addresses running unpatched React or Next.js servers — many belonging to major cloud providers, SaaS platforms, and enterprise infrastructures.

What Attackers Can Do

Once exploited, React2Shell gives attackers complete remote control over the targeted server. Possible outcomes include:

  • Executing arbitrary commands or installing backdoors
  • Accessing environment variables and sensitive data
  • Injecting malicious payloads into backend services
  • Using compromised servers to pivot further inside corporate networks

Proof-of-concept (PoC) exploits have already been published online, and scanning activity has been observed globally within 48 hours of disclosure. Security experts expect rapid, automated exploitation targeting unpatched instances.

How to Patch and Mitigate

The React and Next.js teams have released emergency patches addressing this flaw.

React: Update immediately to 19.0.1, 19.1.2, or 19.2.1
Next.js: Update to 15.0.5, 15.4.8, or 16.0.7

After updating dependencies, rebuild and redeploy all affected applications to ensure no vulnerable versions remain cached or bundled in your CI/CD pipelines.

Security experts also recommend:

  • Auditing server-side routes and custom API endpoints to verify proper input validation.
  • Implementing Web Application Firewall (WAF) rules as a temporary layer of protection.
  • Monitoring server logs for unusual RSC request patterns or unexpected serialization payloads.
  • Scanning deployed infrastructure for residual vulnerable instances, especially in public-facing environments.

Why React2Shell Is So Dangerous

React2Shell combines four high-risk factors:

  1. Default exposure — affects standard app configurations.
  2. Ease of exploitation — no authentication required.
  3. Massive attack surface — hundreds of thousands of live targets.
  4. Widespread framework adoption — React and Next.js power a large portion of the modern web.

This combination makes React2Shell comparable in scale and severity to previous internet-wide vulnerabilities like Log4Shell or Spring4Shell.

What Organizations Should Do Now

Teams managing web infrastructure or SaaS platforms should prioritize React2Shell remediation as a critical emergency. If patching isn’t immediately possible, isolate affected servers from the public internet, implement WAF rules, and closely monitor all traffic.

For enterprises using CI/CD pipelines, confirm that build dependencies have been updated to patched versions and that no vulnerable components remain in production images.

Conclusion

React2Shell (CVE-2025-55182) exposes thousands of organizations to remote code execution risks through a flaw in one of the most popular web frameworks. Immediate updates to React and Next.js are essential, along with a full rebuild and redeployment of affected projects.

As proof-of-concept exploits continue to spread, delaying mitigation could result in large-scale compromise. Developers and system administrators must act quickly to patch and secure all production systems before attackers fully weaponize this vulnerability.

Sources

Tags
Cybersecurity
About the Author
Evan Mael
Evan Mael

IT consultant specializing in cloud infrastructure and Microsoft 365 modernization, focusing on Zero Trust architecture, intelligent automation, and enterprise resilience across AI, cybersecurity, and digital transformation.

View all posts →