React2Shell: The Critical Vulnerability Affecting Thousands of React Applications

Hello HaWkers, one of the most severe vulnerabilities in the history of the React ecosystem has been discovered and is being actively exploited by hacker groups. Named "React2Shell" (CVE-2025-55182), it received the maximum CVSS score of 10.0 and allows remote code execution on servers using React Server Components.

If you develop applications with Next.js, Remix, or any framework that uses React Server Components, this article is required reading. Let's understand what happened, how the vulnerability works, and most importantly, how to protect your applications.

What Is React2Shell

The name "React2Shell" is a direct reference to the devastating Log4Shell from 2021. Like its predecessor, this vulnerability allows attackers to execute arbitrary code on servers without authentication.

Technical Details:

CVE: CVE-2025-55182
CVSS Score: 10.0 (Critical)
Type: Remote Code Execution (RCE)
Affected Versions: React 19.0.0 to 19.2.0
Discovered by: Lachlan Davidson
Disclosure Date: December 3, 2025

The vulnerability is located in React's Flight protocol, responsible for serializing and deserializing component trees between client and server.

How the Vulnerability Works

The problem lies in how React Server Components processes payloads received from the client. During deserialization, the server-side decoder fails to properly validate incoming data.

The Flight Protocol

React Server Components uses an internal protocol called Flight for client-server communication. This protocol serializes the component tree into a special format that can be transmitted via HTTP.

// Simplified example of normal Flight Protocol flow
// SERVER: Serialize component
const serialized = await renderToFlightStream(<ServerComponent />);

// CLIENT: Receives and processes
const response = await fetch('/api/component');
const stream = response.body;

// SERVER: Deserializes client payload
// HERE IS THE PROBLEM - without proper validation
const clientPayload = await parseFlightRequest(request);

The Attack Vector

An attacker can create a malicious payload that, when deserialized by the server, executes arbitrary code:

// Malicious payload (DO NOT execute this code!)
// Educational demonstration of the attack vector

// The attacker sends a crafted HTTP request
// containing malicious serialized objects that
// exploit insecure deserialization

// The server, when processing the payload, executes
// commands as if they were a legitimate part of the
// component tree

// Result: Reverse shell, data exfiltration,
// or any command on the server

The severity is amplified by the fact that default configurations are vulnerable. A Next.js application created with create-next-app and deployed to production can be exploited without any code modifications.

Active Exploitation by Hacker Groups

The situation became critical when, just hours after the public disclosure on December 3, 2025, multiple hacker groups began actively exploiting the vulnerability.

Identified Groups:

Earth Lamia: China-nexus group
Jackpot Panda: Another group with Chinese ties
CL-STA-1015: Initial Access Broker with suspected links to China's Ministry of State Security

Observed Tactics:

Installation of Mirai loaders (botnet)
Reverse shells connected to Cobalt Strike servers
Installation of SNOWLIGHT and VShell Trojans
Exfiltration of AWS credentials from environment variables
Collection of tokens and secrets from cloud instance metadata

Exploitation Timeline

Date	Event
11/29/2025	Responsible disclosure to Meta
12/03/2025	Patch released by React and Vercel
12/03/2025	First exploitation attempts detected
12/05/2025 06:00 UTC	Mass exploitation after public PoC
12/06/2025	Added to CISA KEV

How to Check If You Are Vulnerable

The first action is to verify which version of React your application is using.

Quick Verification

# Check React version
npm list react

# Check Next.js version (if applicable)
npm list next

# Check all React dependencies
npm list | grep react

Vulnerable Versions

React 19.0.0
React 19.1.0 and 19.1.1
React 19.2.0

Patched Versions

React 19.0.1
React 19.1.2
React 19.2.1

If you are using React 18.x or earlier, you are not vulnerable to this specific CVE, as React Server Components did not exist in those versions.

How to Fix Immediately

The fix is simple: update to patched versions.

For npm Projects

# Update React to patched version
npm update react react-dom

# Or specify exact version
npm install react@19.2.1 react-dom@19.2.1

# Update Next.js (if applicable)
npm update next

For yarn Projects

# Update dependencies
yarn upgrade react react-dom

# Or specific version
yarn add react@19.2.1 react-dom@19.2.1

For pnpm Projects

# Update to patched versions
pnpm update react react-dom

# Specific version
pnpm add react@19.2.1 react-dom@19.2.1

Additional Protection Measures

Besides updating, there are other measures you should consider.

1. Check Access Logs

Look for suspicious patterns in your server logs:

# Search for exploitation attempts in nginx logs
grep -E "(wget|curl|chmod|/bin/sh|/bin/bash)" /var/log/nginx/access.log

# For Node.js application logs
grep -E "child_process|exec\(|spawn\(" logs/app.log

2. Implement WAF Rules

If you use Cloudflare, AWS WAF, or similar, add rules to block malicious payloads:

// Example of additional protection middleware
// for Next.js/Express

function securityMiddleware(req, res, next) {
  const contentType = req.headers['content-type'];

  // Reject suspicious content-types
  if (contentType && contentType.includes('text/x-component')) {
    // Validate payload size
    const contentLength = parseInt(req.headers['content-length'], 10);

    if (contentLength > 1000000) { // 1MB limit
      return res.status(413).json({ error: 'Payload too large' });
    }
  }

  next();
}

3. Rotate Credentials

If you suspect compromise, rotate immediately:

AWS keys (Access Key and Secret Key)
API tokens (GitHub, Stripe, etc.)
Sensitive environment variables
TLS/SSL certificates
Database passwords

Lessons for the Future

This vulnerability exposes important structural problems in the ecosystem.

Serialization Is Dangerous

Deserializing untrusted data is historically one of the main sources of critical vulnerabilities. Log4Shell, Java ObjectInputStream, Python pickle - the pattern repeats.

Best practices:

Never trust serialized data from untrusted sources
Implement strict schema validation
Use formats like JSON that don't allow code execution
Consider cryptographic signatures for serialized data

Frameworks Are Not Infallible

Even popular and well-maintained frameworks like React can contain critical vulnerabilities. This reinforces the importance of:

Keeping dependencies updated
Monitoring security feeds
Having incident response plans
Implementing defense in depth

The Impact on the React Ecosystem

React2Shell will likely cause significant changes in the ecosystem.

Expected Changes:

Security Audits: Greater scrutiny of RSC-related code
Input Validation: Implementation of stricter validation in Flight protocol
Scanning Tools: New tools to detect similar vulnerabilities
Documentation: More detailed guides on SSR/RSC security

Impact on Developers

Area	Impact
Updates	Urgency to update dependencies
CI/CD	Need for security scans
Monitoring	Alerts for vulnerabilities
Knowledge	Deep understanding of SSR/RSC

Conclusion

React2Shell is an important reminder that security must be a constant priority in software development. Even when using the most popular and well-maintained technologies, critical vulnerabilities can emerge.

Immediate actions you should take:

Check which version of React you are using
Update to patched versions (19.0.1, 19.1.2, or 19.2.1)
Review logs for exploitation attempts
Rotate credentials if compromise is suspected
Implement continuous security monitoring

If you want to dive deeper into security for modern web applications, I recommend checking out another article: Over 10,000 Docker Hub Images Leaking Credentials where you will discover how to protect your containers from secrets exposure.