Share
## https://sploitus.com/exploit?id=BFD148A7-EAB3-5517-A626-DB4644E79C56
# React2Shell β Critical Remote Code Execution in React Server Components
**CVE-2025-55182 (React) & CVE-2025-66478 (Next.js)**
**Research & Defence Reference β December 2025**
**CVSS 10.0 β Unauthenticated RCE β Zero-Click β Mass Exploitation Ongoing**
This document is a comprehensive, research-oriented markdown article intended for security researchers, defenders, incident responders, and developers. It contains no weaponized exploit code β only technical analysis, detection signatures, timelines, and official references.
---
## Executive Summary
Between December 4β5, 2025, a critical deserialization vulnerability chain in **React Server Components (RSC)** and **Next.js App Router** was publicly disclosed under the nickname **React2Shell**.
The vulnerability allows an unauthenticated attacker to achieve **full remote code execution** on the server with a single crafted HTTP POST request using the RSC βFlightβ protocol. No user interaction, authentication, or CSRF tokens are required.
Within hours of disclosure, mass scanning and active exploitation were observed by multiple security vendors (Wiz, Datadog, Cloudflare, Amazon, Akamai).
---
## Affected Software & Exact Version Ranges
| Package | Vulnerable Versions | First Fixed Version | Fixed Release Date |
|----------------------------------|-----------------------------|----------------------------------------------|--------------------|
| **Next.js (App Router only)** | 15.0.0 β 16.0.6 | 15.0.5 / 15.1.9 / 16.0.7 | Dec 4, 2025 |
| **react-server-dom-webpack** | 19.0.0 β 19.2.0 | 19.0.1 / 19.1.2 / 19.2.1 | Dec 4, 2025 |
| **react-server-dom-webpack (npm)** | All published 19.x before the above | Same as above | Dec 4, 2025 |
**Not vulnerable by default:**
- Next.js Pages Router
- Next.js β€14.x
- Next.js running on Edge Runtime (when Server Actions are disabled)
- Pure client-side React applications
---
## Technical Root Cause (Simplified)
The RSC streaming protocol accepts multipart/form-data payloads that are deserialized with `JSON.parse` + custom reviver logic. The reviver incorrectly trusts user-controlled keys, leading to:
1. **Prototype pollution** via `$:__proto__:then`
2. Forced resolution of a malicious model chunk as a Promise
3. Hijacking of internal `_formData.get` β `Function.constructor`
4. Injection of arbitrary JavaScript into `_prefix` field
5. Final execution via `process.mainModule.require('child_process').execSync(...)`
The entire chain fits into a single HTTP request under 1 KB.
---
## High-Fidelity Detection Signature (Safe β No Code Execution)
The following request triggers a deterministic deserialization crash **without executing any attacker code**:
```http
POST / HTTP/1.1
Host: vulnerable-app.com
User-Agent: React2Shell-Research/1.0
Next-Action: x
Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%2Cnull%2Cnull%5D%7D%2Cnull%2Cnull%2Ctrue%5D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryResearch
------WebKitFormBoundaryResearch
Content-Disposition: form-data; name="1"
{}
------WebKitFormBoundaryResearch
Content-Disposition: form-data; name="0"
["$1:a:a"]
------WebKitFormBoundaryResearch--
```
**Vulnerable response:**
- Status: `500 Internal Server Error`
- Body contains: `E{"digest":"2971658870"}`
This signature is used by Datadog, Wiz, Cloudflare, and Searchlight Cyber for high-confidence detection.
---
### Immediate Remediation Steps
### Recommended β upgrade to latest
```bash
npm install next@latest react@latest react-dom@latest
```
### Minimum safe versions
```
npm install next@16.0.7 react@19.2.1 react-dom@19.2.1
```
### Verify fix:
```bash
npm ls react-server-dom-webpack
```
# Must show β₯19.2.1
Temporary mitigations (if upgrade delayed):
- Block or rate-limit requests containing header `Next-Action:`
- Disable Server Actions globally (`next.config.js` β `experimental: { serverActions: false }`)
- Deploy WAF rules blocking multipart payloads with `$` in form field names
---
## Disclosure Timeline
| Date | Event |
|-------------------|-----------------------------------------------------------------------|
| Nov 29, 2025 | Lachlan Davidson privately reports to Meta/React team |
| Dec 1β3, 2025 | Coordinated disclosure with Vercel, Meta, and select vendors |
| Dec 4, 2025 (PM) | Patches released, CVEs assigned, embargo lifted |
| Dec 4, 2025 (evening) | First public PoC gists published (maple3142, SwitHak) |
| Dec 5, 2025 | Mass internet-wide scanning begins; in-the-wild exploitation confirmed |
---
## Official & Research References (Chronological & Complete)
| # | Article / Source Title | Link (Click to View) | Date |
|----|-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------|
| 1 | Official React Blog β Critical Security Vulnerability in React Server Components | [View β](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) | Dec 3, 2025 |
| 2 | Next.js Official Security Bulletin β CVE-2025-66478 | [View β](https://nextjs.org/blog/CVE-2025-66478) | Dec 4, 2025 |
| 3 | React GitHub Security Advisory β GHSA-fv66-9v8q-g76r | [View β](https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r) | Dec 4, 2025 |
| 4 | NIST CVE-2025-55182 (React) | [View β](https://vulners.com/cve/CVE-2025-55182) | Dec 4, 2025 |
| 5 | NIST CVE-2025-66478 (Next.js) | [View β](https://vulners.com/cve/CVE-2025-66478) | Dec 4, 2025 |
| 6 | React Official X Announcement | [View β](https://x.com/reactjs/status/1996244264192274535) | Dec 3, 2025 |
| 7 | SwitHak β Initial Public Disclosure | [View β](https://x.com/swithak/status/1996584166964478162) | Dec 4, 2025 |
| 8 | Rapid7 β Initial Analysis | [View β](https://x.com/rapid7/status/1996615293041582187) | Dec 4, 2025 |
| 9 | The Hacker News β React2Shell Naming & Coverage | [View β](https://x.com/TheHackersNews/status/1996438456747307153) | Dec 4, 2025 |
| 10 | maple3142 β Disclosure Thread & First PoC | [View β](https://x.com/maple3142/status/1996687157789155647) | Dec 4, 2025 |
| 11 | stdoutput β In-Depth Technical Breakdown | [View β](https://x.com/stdoutput/status/1996691357709246774) | Dec 4, 2025 |
| 12 | Stephen Fewer β Unauthenticated RCE PoC Announcement | [View β](https://x.com/stephenfewer/status/1996697494525264219) | Dec 4, 2025 |
| 13 | Palo Alto Unit 42 β Review of Both CVEs | [View β](https://x.com/Unit42_Intel/status/1996679931179254016) | Dec 4, 2025 |
| 14 | maple3142 β First Functional PoC Gist | [View β](https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3) | Dec 4, 2025 |
| 15 | SwitHak β Weaponized Reverse-Shell PoC | [View β](https://gist.github.com/SwitHak/53766595ff3f2aaba237b1f3d92c4146) | Dec 4, 2025 |
| 16 | Wiz Research β Critical Vulnerability Deep Dive (CVE-2025-55182) | [View β](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182) | Dec 4, 2025 |
| 17 | Searchlight Cyber β High-Fidelity Detection Mechanism (Safe Crash PoC) | [View β](https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/) | Dec 4, 2025 |
| 18 | Assetnote β Open-Source React2Shell Scanner | [View β](https://github.com/assetnote/react2shell-scanner) | Dec 4, 2025 |
| 19 | Joe DeSimone β Python Reference Implementation | [View β](https://gist.github.com/joe-desimone/ff0cae0aa0d20965d502e7a97cbde3e3) | Dec 4, 2025 |
| 20 | msanft β Curated Collection of PoCs & Write-ups | [View β](https://github.com/msanft/CVE-2025-55182) | Dec 4, 2025 |
| 21 | Guillermo Rauch (Vercel CEO) β Official Statement | [View β](https://x.com/rauchg/status/1996701434029789366) | Dec 4, 2025 |
| 22 | React2Shell.com β Community Landing Page & Timeline | [View β](https://react2shell.com/) | Dec 4, 2025 |
| 23 | Flashpoint β Supply-Chain Risk Analysis | [View β](https://itnerd.blog/2025/12/04/flashpoint-analysis-critical-react-rce-vulnerability-puts-digital-supply-chains-at-risk/) | Dec 4, 2025 |
| 24 | CyberHub β Detailed CVE Entry & MITRE References | [View β](https://www.cyberhub.blog/cves/CVE-2025-55182) | Dec 4, 2025 |
| 25 | Cloudflare β Automatic WAF Protection for React2Shell | [View β](https://cloudflare.blog/2025/12/04/protecting-against-react2shell-cve-2025-55182/) | Dec 4, 2025 |
| 26 | AWS Security Blog β China-Nexus Groups Rapidly Exploiting React2Shell | [View β](https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/) | Dec 5, 2025 |
| 27 | Radware β Threat Advisory & Mitigation Guidance | [View β](https://www.radware.com/security/threat-advisories-and-attack-reports/react2shell-a-cvss-10-0-rce-vulnerability-in-react-server-components-cve-2025-55182/) | Dec 5, 2025 |
| 28 | SOCRadar β React2Shell RCE Explanation | [View β](https://socradar.io/blog/react2shell-rce-flaw-react-nextjs/) | Dec 5, 2025 |
| 29 | SecurityOnline β China-Nexus Weaponization Within Hours | [View β](https://securityonline.info/react2shell-storm-china-nexus-groups-weaponize-critical-react-flaw-hours-after-disclosure/) | Dec 5, 2025 |
| 30 | BleepingComputer β Active Exploitation by China-Linked Actors | [View β](https://www.bleepingcomputer.com/news/security/react2shell-critical-flaw-actively-exploited-in-china-linked-attacks/) | Dec 5, 2025 |
| 31 | SecurityWeek β Chinese Hackers Exploiting React2Shell | [View β](https://www.securityweek.com/chinese-hackers-exploiting-react2shell-vulnerability/) | Dec 5, 2025 |
| 32 | 12joan β Detailed Write-up & Additional PoC | [View β](https://gist.github.com/12joan/eb606fb5e5e1c44b0d9d2aacb04112f7) | Dec 5, 2025 |
| 33 | Japanese Research Team β Live CVE Investigation Stream | [View β](https://www.youtube.com/live/ewJh_LFU94g) | Dec 5, 2025 |
| 34 | Lachlan Davidson (Original Discoverer) β GitHub Profile | [View β](https://github.com/lachlan2k) | Ongoing |
| 35 | Tencent AI-Infra-Guard β Dependency Detection Tool for React2Shell | [View β](https://github.com/Tencent/AI-Infra-Guard/) | Dec 5, 2025 |
---
**This document is for authorized security research, defensive monitoring, and educational purposes only.**
Unauthorized exploitation of this vulnerability constitutes a serious computer crime in most jurisdictions.
**December 2025 β One of the fastest zero-day weaponization events in recent history.**
Patch immediately. Stay vigilant.