A most severity vulnerability, dubbed ‘React2Shell’, within the React Server Elements (RSC) ‘Flight’ protocol permits distant code execution with out authentication in React and Subsequent.js purposes.
The security challenge stems from insecure deserialization. It acquired a severity rating of 10/10 and has been assigned the identifiers CVE-2025-55182 for React and CVE-2025-66478 (CVE rejected within the Nationwide Vulnerability Database) for Subsequent.js.
Safety researcher Lachlan Davidson found the flaw and reported it to React on November 29. He discovered that an attacker might obtain distant code execution (RCE) by sending a specifically crafted HTTP request to React Server Operate endpoints.
“Even when your app doesn’t implement any React Server Operate endpoints, it might nonetheless be susceptible in case your app helps React Server Elements [RCS],” warns the security advisory from React.
The next packages of their default configuration are impacted:
- react-server-dom-parcel
- react-server-dom-turbopack
- and react-server-dom-webpack
React is an open-source JavaScript library for constructing consumer interfaces. It is maintained by Meta and broadly adopted by organizations of all sizes for front-end net improvement.
Subsequent.js, maintained by Vercel, is a framework constructed on prime of React that provides server-side rendering, routing, and API endpoints.
Each options are broadly current in cloud environments by means of front-end purposes that assist scale and deploy architectures sooner and simpler.
Researchers at Wiz cloud security platform warn that the vulnerability is simple to use and exists within the default configuration of the affected packages.
Impression and fixes
Based on React, the vulnerability is current in variations 19.0, 19.1.0, 19.1.1, and 19.2.0. Subsequent.js is impacted in experimental canary releases beginning with 14.3.0-canary.77, and all releases of the 15.x and 16.x branches beneath the patched variations.
The flaw exists within the ‘react-server’ package deal utilized by React Server Elements (RSC), however Subsequent.js inherits it by means of its implementation of the RSC “Flight” protocol.
Wiz researchers say that 39% of all cloud environments the place they’ve visibility include situations of Subsequent.js or React operating variations susceptible to CVE-2025-55182, CVE-2025-66478, or each.
The identical vulnerability probably exists in different libraries that implement React Server, together with the Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku.
Software program supply-chain security firm Endor Labs explains that the React2Shell “is a logically insecure deserialization vulnerability the place the server fails to correctly validate the construction of incoming RSC payloads.”
There’s a validation failure when receiving the malformed information from the attacker, which leads to executing privileged JavaScript code within the context of the server.
Davidson created a React2Shell web site, the place he’ll publish technical particulars. The researcher can be warning that there are proof-of-concept (PoCs) exploits that aren’t real.
These PoCs invoke features like vm#runInThisContext, child_process#exec, and fs#writeFile, however a real exploit doesn’t want this, the researcher says.
“This is able to solely be exploitable when you had consciously chosen to let purchasers invoke these, which might be harmful it doesn’t matter what,” Davidson notes.
He additional defined that these pretend PoCs wouldn’t work with Subsequent.js since these features aren’t current as a result of listing of server features being managed robotically.
Builders are strongly suggested to use the fixes obtainable in React variations 19.0.1, 19.1.2, and 19.2.1, and Subsequent.js variations 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7.
Organizations ought to audit their environments to find out in the event that they use a susceptible model and take the suitable motion to mitigate the danger.
The recognition of the 2 options is mirrored within the variety of weekly downloads, as React counts 55.8 million on the Node Bundle Supervisor (NPM), and Subsequent.js has 16.7 million on the identical platform.
Damaged IAM is not simply an IT drawback – the influence ripples throughout your entire enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with trendy calls for, examples of what “good” IAM seems like, and a easy guidelines for constructing a scalable technique.
