A maximum-severity security flaw, tracked as CVE-2025-55182 and codenamed React2shell, has been publicly disclosed in React Server Components (RSC). This flaw carries a CVSS score of 10.0, indicating the highest possible level of criticality. The issue enables unauthenticated remote code execution (RCE) by exploiting a defect in how React decodes payloads sent to React Server Function endpoints. The React Team warned that even applications without implemented React Server Function endpoints might still be vulnerable if they support React Server Components, exposing a wide range of deployments to this significant risk.
The core of the vulnerability is a case of logical deserialization that stems from the unsafe processing of RSC payloads. Specifically, the flaw lies in the React Flight protocol’s handling of serialized data. An unauthenticated attacker can craft a malicious HTTP request directed at any Server Function endpoint. When React attempts to deserialize this request, the malformed or adversarial payload is processed in an unintended manner, resulting in the execution of arbitrary JavaScript code on the server. This exploit leverages the system’s trust in incoming data structures, causing it to reliably execute the malicious payload as if it were legitimate code.
The vulnerability impacts specific versions of several npm packages essential for RSC functionality, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0. The fix has been released in versions 19.0.1, 19.1.2, and 19.2.1, which introduce stricter validation and hardened deserialization behavior to prevent the exploit. Lachlan Davidson, a security researcher from New Zealand, is credited with discovering and reporting the flaw to Meta, the company that originally developed and maintained the JavaScript library.
Crucially, any library or framework that bundles RSC is likely to be affected by this flaw. This includes prominent frameworks like Next.js using the App Router, where the issue has been assigned a separate CVE identifier: CVE-2025-66478 (also CVSS score 10.0). Affected Next.js versions with patches available in versions such as 16.0.7, 15.5.7, and 15.4.8. Security firms have emphasized that no special setup is required to weaponize this flaw, meaning standard, default deployments are immediately exploitable over HTTP and without needing any authentication. An attacker only requires network access to send a crafted HTTP request to a Server Function endpoint.
Given the severity and ease of exploitation, users are strongly advised to apply the available patches as soon as possible for optimal protection. In the interim, before patches can be deployed, temporary mitigation measures are recommended. These include deploying Web Application Firewall (WAF) rules, such as the new safeguard deployed by Cloudflare, to monitor and block suspicious or malformed HTTP traffic to Server Function endpoints. Furthermore, temporarily restricting network access to the affected applications is another prudent step. With estimates suggesting that hundreds of thousands of servers are running modern frameworks exposed to this flaw, immediate action is paramount.
Reference:
