Critical React2Shell RCE Vulnerability: How to Check and Fix CVE-2025-55182

UPDATE (Dec 6): Active exploitation confirmed by AWS and Datadog. Threat actors are targeting unpatched Next.js 15/16 instances. Patch immediately.

Wiz Research found vulnerable React versions in 39% of cloud environments they scanned. If you use Next.js App Router or React Server Components, you need to check your systems immediately. If you have a lot of apps running these components then its going to be a busy day.

Update (December 6, 2025): CVE-2025-55182, now widely known as React2Shell, was added to CISA's Known Exploited Vulnerabilities catalog on December 5, confirming active exploitation in the wild. Fastly reported a 2,775% increase in attack attempts within 24 hours of the PoC release. This article has been updated with detection tools, expanded WAF guidance, and indicators of compromise.

Why This Matters

React Server Components use a protocol called "Flight" to pass data between browser and server. The vulnerability is in how production servers deserialize incoming Flight requests. A malformed payload bypasses validation entirely, allowing attacker-controlled code to execute without authentication.

This is a runtime vulnerability. Your development environment and code repository are not at risk. Your live production servers accepting public traffic are. Standard deployments are vulnerable by default, meaning a fresh Next.js app created with create-next-app can be exploited with no code changes by the developer (Wiz).

CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability in React Server Components. It carries a maximum CVSS score of 10.0 and affects the "Flight" protocol used for server-side rendering. In testing, researchers achieved near 100% exploitation success rate (Wiz).

Check If You Are Affected

Run this command in your project's root directory (where package.json lives):

npm list next react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack

This checks the dependency versions your project uses. If you have multiple applications, run this against each project. For containerized deployments, you are checking your source project locally to identify the issue in your codebase.

Vulnerable React packages (versions 19.0.0, 19.1.0, 19.1.1, 19.2.0):

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Vulnerable Next.js versions:

• Next.js 15.x prior to 15.0.5
• Next.js 16.x prior to 16.0.7
• Canary versions 14.3.0-canary.77 and later

Next.js 13.x and 14.x stable releases using the Pages Router are generally not affected unless you manually implemented RSC features from unstable channels.

React2Shell Detection and Scanning

Security researchers have released scanner tools to help identify vulnerable applications at scale. Assetnote published a react2shell-scanner on GitHub that tests for the vulnerability using a safe-check mode. This relies on side-channel indicators without executing code on your servers.

For external scanning of live URLs:

git clone https://github.com/assetnote/react2shell-scanner
cd react2shell-scanner
pip install requests tqdm
python scanner.py --safe-check https://your-app.com

The scanner looks for specific error responses that indicate a vulnerable Flight protocol implementation. By default it sends a crafted POST request that executes a deterministic math operation. Vulnerable hosts return the result in the X-Action-Redirect response header. The --safe-check flag uses an alternative detection method without executing code on the target.

For security teams, Burp Suite's ActiveScan++ (v2.0.8) has been updated to detect the Next-Action header anomalies associated with this exploit.

For CI/CD integration, community scanners now support GitHub Actions and SARIF output for automated security checks on pull requests. See the gensecaihq/react2shell-scanner repository for examples.

Datadog has published IOCs for detection in runtime environments: https://github.com/DataDog/indicators-of-compromise/tree/main/react-CVE-2025-55182

How to Fix It

For React Server Components users, update to patched versions:

npm install [email protected]
# Or 19.1.2 or 19.2.1 depending on your version line

For Next.js 15 users:

npm install [email protected] react@latest react-dom@latest

For Next.js 16 users:

npm install [email protected] react@latest react-dom@latest

For Canary users, downgrade to stable v14 or upgrade to the latest fixed canary release.

WAF and Runtime Mitigations

If you cannot patch immediately, major providers have deployed protections.

Cloudflare rolled out managed WAF rules that automatically protect all customers proxying traffic through their network. No action required if Cloudflare WAF is enabled.

Vercel deployed both WAF rules and runtime-level protections for all hosted projects. The original researcher notes that some providers have implemented protections beyond just WAF rules, meaning theoretically vulnerable versions may still be protected (react2shell.com).

Google Cloud released Cloud Armor WAF rules available now for global and regional Application Load Balancers.

AWS released new WAF rules. Customers using managed services are not impacted and no action is required.

Fastly published a Virtual Patch for NGWAF customers with automatic updates.

Akamai deployed Adaptive Security Engine Rapid Rules for customers.

WAF rules are a temporary measure. Fastly verified that public PoCs grant attackers single-step ability to execute commands, exfiltrate data, and gain write access on vulnerable servers. Patching remains the only safe fix.

Behavioral Indicators for Detection

While waiting for vendor-specific IOCs, defenders can use behavioral patterns observed in the wild by GreyNoise and Datadog:

• Unusual POST requests or traffic spikes to RSC/Server Function endpoints handling Flight payloads
• Unexpected errors related to deserialization or malformed RSC payloads in application logs
• Creation of unfamiliar temporary files near your application code following suspicious requests
• New outbound connections from app servers to untrusted IPs shortly after anomalous requests
• PowerShell execution patterns like powershell -c "<digits>*<digits>" which indicate exploit validation (GreyNoise)

GreyNoise observed attackers using encoded PowerShell download-and-execute stagers with AMSI bypass techniques. If your detection platform supports it, aggregate detection on repeated PowerShell arithmetic patterns across a short window as a strong indicator of exploit validation. Datadog Workload Protection customers can use custom rules to detect exploitation attempts in runtime.

Active Exploitation in the Wild

Amazon confirmed China-nexus threat groups including "Earth Lamia" and "Jackpot Panda" began targeting this vulnerability within hours of disclosure (Bitdefender). GreyNoise observed that nearly 50% of scanning IPs were newly spun up in December 2025, indicating fresh infrastructure dedicated to this campaign.

The attack chain follows a predictable pattern: automated scanners probe for vulnerable applications, followed by proof-of-execution commands to validate RCE, then staged payloads for persistence. GreyNoise has already detected CVE-2025-55182 being added to Mirai and other botnet exploitation kits.

A Metasploit module is now available, lowering the barrier to exploitation further (Rapid7).

Summary

CVE-2025-55182, now widely known as React2Shell, was added to CISA's Known Exploited Vulnerabilities catalog on December 5 with a remediation deadline of December 24 for federal agencies. This confirms what threat intelligence has been showing: active exploitation is underway.

With React used by 82% of JavaScript developers according to the State of JavaScript 2024 survey, and Wiz finding vulnerable versions in 39% of cloud environments, this vulnerability has massive potential impact. The combination of unauthenticated access, near-perfect exploitation reliability, default-vulnerable configurations, and confirmed nation-state interest makes immediate patching essential.

This is another reminder that supply chain and dependency security requires constant attention. For more on managing npm vulnerabilities effectively, see my npm Vulnerability Scanner guide and the recent Shai-Hulud supply chain attack analysis.

Check your dependencies today and patch immediately.

Frequently Asked Questions

Is Next.js 14 safe from CVE-2025-55182?

Generally, yes. Next.js 14 (Stable/Pages Router) is safe. You are only at risk if you manually enabled the experimental React Server Components (RSC) features.

Does Cloudflare protect against React2Shell?

Yes, Cloudflare WAF has deployed automatic rules to block the malicious "Flight" protocol payloads for all proxied React applications.

Is this vulnerability exploitable without authentication?

Yes. An unauthenticated attacker can execute code on your server (RCE) just by sending a crafted HTTP request.

References:

• React Team (2025). "Critical Security Vulnerability in React Server Components." Official disclosure and patched versions.
• CISA (2025). "Known Exploited Vulnerabilities Catalog." CVE-2025-55182 added December 5 with December 24 remediation deadline.
• Wiz Research (2025). "Critical RCE Vulnerabilities Discovered in React and Next.js." Vulnerability analysis showing 39% cloud environment exposure.
• Fastly (2025). "React2Shell RCE Protection." 2,775% increase in attack attempts within 24 hours of PoC release.
• GreyNoise (2025). "CVE-2025-55182 Opportunistic Exploitation In The Wild." Scanning patterns and behavioral indicators.
• Datadog Security Labs (2025). "CVE-2025-55182 React2Shell." IOCs and detection guidance.
• Bitdefender (2025). "Technical Advisory: React2Shell." China-nexus threat group exploitation confirmed.
• Vercel (2025). "Summary of CVE-2025-55182." Next.js specific advisory and mitigation guidance.
• Tenable (2025). "React2Shell: CVE-2025-55182 FAQ." Detailed technical breakdown.
• Rapid7 (2025). "React2Shell Critical Unauthenticated RCE." Metasploit module availability.
• Assetnote/SearchLight Cyber (2025). "High Fidelity Detection Mechanism for RSC/Next.js RCE." Scanner tooling and methodology.