Share
## https://sploitus.com/exploit?id=BFD148A7-EAB3-5517-A626-DB4644E79C56
# React2Shell – Critical Remote Code Execution in React Server Components  
**CVE-2025-55182 (React) & CVE-2025-66478 (Next.js)**  
**Research & Defence Reference – December 2025**  
**CVSS 10.0 – Unauthenticated RCE – Zero-Click – Mass Exploitation Ongoing**

This document is a comprehensive, research-oriented markdown article intended for security researchers, defenders, incident responders, and developers. It contains no weaponized exploit code β€” only technical analysis, detection signatures, timelines, and official references.

---

## Executive Summary

Between December 4–5, 2025, a critical deserialization vulnerability chain in **React Server Components (RSC)** and **Next.js App Router** was publicly disclosed under the nickname **React2Shell**.

The vulnerability allows an unauthenticated attacker to achieve **full remote code execution** on the server with a single crafted HTTP POST request using the RSC β€œFlight” protocol. No user interaction, authentication, or CSRF tokens are required.

Within hours of disclosure, mass scanning and active exploitation were observed by multiple security vendors (Wiz, Datadog, Cloudflare, Amazon, Akamai).

---

## Affected Software & Exact Version Ranges

| Package                          | Vulnerable Versions         | First Fixed Version                          | Fixed Release Date |
|----------------------------------|-----------------------------|----------------------------------------------|--------------------|
| **Next.js (App Router only)**    | 15.0.0 – 16.0.6             | 15.0.5 / 15.1.9 / 16.0.7                      | Dec 4, 2025       |
| **react-server-dom-webpack**     | 19.0.0 – 19.2.0             | 19.0.1 / 19.1.2 / 19.2.1                     | Dec 4, 2025       |
| **react-server-dom-webpack (npm)** | All published 19.x before the above | Same as above                                | Dec 4, 2025       |

**Not vulnerable by default:**
- Next.js Pages Router
- Next.js ≀14.x
- Next.js running on Edge Runtime (when Server Actions are disabled)
- Pure client-side React applications

---

## Technical Root Cause (Simplified)

The RSC streaming protocol accepts multipart/form-data payloads that are deserialized with `JSON.parse` + custom reviver logic. The reviver incorrectly trusts user-controlled keys, leading to:

1. **Prototype pollution** via `$:__proto__:then`
2. Forced resolution of a malicious model chunk as a Promise
3. Hijacking of internal `_formData.get` β†’ `Function.constructor`
4. Injection of arbitrary JavaScript into `_prefix` field
5. Final execution via `process.mainModule.require('child_process').execSync(...)`

The entire chain fits into a single HTTP request under 1 KB.

---

## High-Fidelity Detection Signature (Safe – No Code Execution)

The following request triggers a deterministic deserialization crash **without executing any attacker code**:

```http
POST / HTTP/1.1
Host: vulnerable-app.com
User-Agent: React2Shell-Research/1.0
Next-Action: x
Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%2Cnull%2Cnull%5D%7D%2Cnull%2Cnull%2Ctrue%5D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryResearch

------WebKitFormBoundaryResearch
Content-Disposition: form-data; name="1"

{}
------WebKitFormBoundaryResearch
Content-Disposition: form-data; name="0"

["$1:a:a"]
------WebKitFormBoundaryResearch--
```

**Vulnerable response:**
- Status: `500 Internal Server Error`
- Body contains: `E{"digest":"2971658870"}`

This signature is used by Datadog, Wiz, Cloudflare, and Searchlight Cyber for high-confidence detection.

---

### Immediate Remediation Steps


### Recommended – upgrade to latest
```bash
npm install next@latest react@latest react-dom@latest
```
### Minimum safe versions
```
npm install next@16.0.7 react@19.2.1 react-dom@19.2.1
```

### Verify fix:
```bash
npm ls react-server-dom-webpack
```
# Must show β‰₯19.2.1


Temporary mitigations (if upgrade delayed):
- Block or rate-limit requests containing header `Next-Action:`
- Disable Server Actions globally (`next.config.js` β†’ `experimental: { serverActions: false }`)
- Deploy WAF rules blocking multipart payloads with `$` in form field names

---

## Disclosure Timeline

| Date              | Event                                                                 |
|-------------------|-----------------------------------------------------------------------|
| Nov 29, 2025      | Lachlan Davidson privately reports to Meta/React team                 |
| Dec 1–3, 2025     | Coordinated disclosure with Vercel, Meta, and select vendors          |
| Dec 4, 2025 (PM)  | Patches released, CVEs assigned, embargo lifted                      |
| Dec 4, 2025 (evening) | First public PoC gists published (maple3142, SwitHak)                |
| Dec 5, 2025       | Mass internet-wide scanning begins; in-the-wild exploitation confirmed |

---

## Official & Research References (Chronological & Complete)
| #  | Article / Source Title                                                                                                      | Link (Click to View)                                                                                                      | Date          |
|----|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------|
| 1  | Official React Blog – Critical Security Vulnerability in React Server Components                                            | [View β†’](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)                     | Dec 3, 2025  |
| 2  | Next.js Official Security Bulletin – CVE-2025-66478                                                                         | [View β†’](https://nextjs.org/blog/CVE-2025-66478)                                                                          | Dec 4, 2025  |
| 3  | React GitHub Security Advisory – GHSA-fv66-9v8q-g76r                                                                         | [View β†’](https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r)                                        | Dec 4, 2025  |
| 4  | NIST CVE-2025-55182 (React)                                                                                                 | [View β†’](https://vulners.com/cve/CVE-2025-55182)                                                                 | Dec 4, 2025  |
| 5  | NIST CVE-2025-66478 (Next.js)                                                                                               | [View β†’](https://vulners.com/cve/CVE-2025-66478)                                                                 | Dec  4, 2025  |
| 6  | React Official X Announcement                                                                                              | [View β†’](https://x.com/reactjs/status/1996244264192274535)                                                                | Dec 3, 2025  |
| 7  | SwitHak – Initial Public Disclosure                                                                                         | [View β†’](https://x.com/swithak/status/1996584166964478162)                                                                | Dec 4, 2025  |
| 8  | Rapid7 – Initial Analysis                                                                                                   | [View β†’](https://x.com/rapid7/status/1996615293041582187)                                                                 | Dec 4, 2025  |
| 9  | The Hacker News – React2Shell Naming & Coverage                                                                             | [View β†’](https://x.com/TheHackersNews/status/1996438456747307153)                                                         | Dec 4, 2025  |
| 10 | maple3142 – Disclosure Thread & First PoC                                                                                   | [View β†’](https://x.com/maple3142/status/1996687157789155647)                                                              | Dec 4, 2025  |
| 11 | stdoutput – In-Depth Technical Breakdown                                                                                    | [View β†’](https://x.com/stdoutput/status/1996691357709246774)                                                              | Dec 4, 2025  |
| 12 | Stephen Fewer – Unauthenticated RCE PoC Announcement                                                                       | [View β†’](https://x.com/stephenfewer/status/1996697494525264219)                                                           | Dec 4, 2025  |
| 13 | Palo Alto Unit 42 – Review of Both CVEs                                                                                     | [View β†’](https://x.com/Unit42_Intel/status/1996679931179254016)                                                           | Dec 4, 2025  |
| 14 | maple3142 – First Functional PoC Gist                                                                                       | [View β†’](https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3)                                              | Dec 4, 2025  |
| 15 | SwitHak – Weaponized Reverse-Shell PoC                                                                                      | [View β†’](https://gist.github.com/SwitHak/53766595ff3f2aaba237b1f3d92c4146)                                                | Dec 4, 2025  |
| 16 | Wiz Research – Critical Vulnerability Deep Dive (CVE-2025-55182)                                                            | [View β†’](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182)                                         | Dec 4, 2025  |
| 17 | Searchlight Cyber – High-Fidelity Detection Mechanism (Safe Crash PoC)                                                      | [View β†’](https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/) | Dec 4, 2025  |
| 18 | Assetnote – Open-Source React2Shell Scanner                                                                                 | [View β†’](https://github.com/assetnote/react2shell-scanner)                                                                | Dec 4, 2025  |
| 19 | Joe DeSimone – Python Reference Implementation                                                                             | [View β†’](https://gist.github.com/joe-desimone/ff0cae0aa0d20965d502e7a97cbde3e3)                                          | Dec 4, 2025  |
| 20 | msanft – Curated Collection of PoCs & Write-ups                                                                            | [View β†’](https://github.com/msanft/CVE-2025-55182)                                                                        | Dec 4, 2025  |
| 21 | Guillermo Rauch (Vercel CEO) – Official Statement                                                                           | [View β†’](https://x.com/rauchg/status/1996701434029789366)                                                                 | Dec 4, 2025  |
| 22 | React2Shell.com – Community Landing Page & Timeline                                                                         | [View β†’](https://react2shell.com/)                                                                                        | Dec 4, 2025  |
| 23 | Flashpoint – Supply-Chain Risk Analysis                                                                                     | [View β†’](https://itnerd.blog/2025/12/04/flashpoint-analysis-critical-react-rce-vulnerability-puts-digital-supply-chains-at-risk/) | Dec 4, 2025  |
| 24 | CyberHub – Detailed CVE Entry & MITRE References                                                                            | [View β†’](https://www.cyberhub.blog/cves/CVE-2025-55182)                                                                   | Dec 4, 2025  |
| 25 | Cloudflare – Automatic WAF Protection for React2Shell                                                                       | [View β†’](https://cloudflare.blog/2025/12/04/protecting-against-react2shell-cve-2025-55182/)                              | Dec 4, 2025  |
| 26 | AWS Security Blog – China-Nexus Groups Rapidly Exploiting React2Shell                                                       | [View β†’](https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/) | Dec 5, 2025  |
| 27 | Radware – Threat Advisory & Mitigation Guidance                                                                             | [View β†’](https://www.radware.com/security/threat-advisories-and-attack-reports/react2shell-a-cvss-10-0-rce-vulnerability-in-react-server-components-cve-2025-55182/) | Dec 5, 2025  |
| 28 | SOCRadar – React2Shell RCE Explanation                                                                                      | [View β†’](https://socradar.io/blog/react2shell-rce-flaw-react-nextjs/)                                                     | Dec 5, 2025  |
| 29 | SecurityOnline – China-Nexus Weaponization Within Hours                                                                     | [View β†’](https://securityonline.info/react2shell-storm-china-nexus-groups-weaponize-critical-react-flaw-hours-after-disclosure/) | Dec 5, 2025  |
| 30 | BleepingComputer – Active Exploitation by China-Linked Actors                                                              | [View β†’](https://www.bleepingcomputer.com/news/security/react2shell-critical-flaw-actively-exploited-in-china-linked-attacks/) | Dec 5, 2025  |
| 31 | SecurityWeek – Chinese Hackers Exploiting React2Shell                                                                       | [View β†’](https://www.securityweek.com/chinese-hackers-exploiting-react2shell-vulnerability/)                             | Dec 5, 2025  |
| 32 | 12joan – Detailed Write-up & Additional PoC                                                                                 | [View β†’](https://gist.github.com/12joan/eb606fb5e5e1c44b0d9d2aacb04112f7)                                                  | Dec 5, 2025  |
| 33 | Japanese Research Team – Live CVE Investigation Stream                                                                     | [View β†’](https://www.youtube.com/live/ewJh_LFU94g)                                                                        | Dec 5, 2025  |
| 34 | Lachlan Davidson (Original Discoverer) – GitHub Profile                                                                     | [View β†’](https://github.com/lachlan2k)                                                                                    | Ongoing       |
| 35 | Tencent AI-Infra-Guard – Dependency Detection Tool for React2Shell                                                          | [View β†’](https://github.com/Tencent/AI-Infra-Guard/)                                                                      | Dec 5, 2025  |


---

**This document is for authorized security research, defensive monitoring, and educational purposes only.**  
Unauthorized exploitation of this vulnerability constitutes a serious computer crime in most jurisdictions.

**December 2025 – One of the fastest zero-day weaponization events in recent history.**  
Patch immediately. Stay vigilant.