CVE-2025-55182 is a critical security vulnerability affecting React Server Components and frameworks that rely on them, including Next.js. The issue is widely referred to as React2Shell. This vulnerability allows an attacker to achieve remote code execution on a server by sending a specially crafted request. No authentication or user interaction is required, which makes the risk extremely high for exposed applications.
What is CVE-2025-55182
CVE-2025-55182 is a pre-authentication remote code execution vulnerability caused by improper handling of untrusted input in React Server Components. These components use a data exchange mechanism known as the Flight protocol to transfer component data between the client and server. In vulnerable versions, incoming data is not validated correctly before being processed. As a result, an attacker can inject malicious payloads that are deserialized and executed on the server.
Because this occurs before authentication and without user interaction, any publicly accessible vulnerable endpoint can be exploited.
How the React2Shell Attack Works
React Server Components are designed to move application logic to the server for better performance and reduced client-side load. When a request is received, the server processes serialized component data to generate a response.
In vulnerable implementations, attackers can manipulate this serialized data. A crafted HTTP request can cause the server to interpret attacker-controlled input as executable code. Once triggered, this enables the attacker to run system commands, deploy malware, or establish persistent access to the affected server.
Affected Software and Versions
CVE-2025-55182 impacts React Server Component packages when the following vulnerable versions are in use:
- react-server-dom-webpack versions 19.0.0 through 19.2.0
- react-server-dom-parcel versions 19.0.0 through 19.2.0
- react-server-dom-turbopack versions 19.0.0 through 19.2.0
Applications built with frameworks such as Next.js are affected if they depend on these packages either directly or indirectly.
Severity and Risk Impact
CVE-2025-55182 carries a CVSS score of 10.0, indicating maximum severity. This rating reflects the ease of exploitation and the potential for complete system compromise.
Successful exploitation may result in full server takeover, unauthorized access to sensitive data, deployment of persistent backdoors, and lateral movement within internal environments. Given the widespread adoption of React and Next.js, the overall exposure is significant.
Observed Exploitation Activity
Following public disclosure, security teams observed active scanning and exploitation attempts targeting vulnerable React Server Component endpoints. In some cases, attackers used the vulnerability to deploy web shells and cryptocurrency mining malware.
Because proof-of-concept exploit code is publicly available, unpatched systems remain at high risk.
How to Fix CVE-2025-55182
The most effective mitigation is to update all affected React Server Component packages to patched versions that properly validate incoming data and prevent unsafe deserialization.
Upgrade to one of the following versions or later:
react-server-dom packages version 19.0.1
react-server-dom packages version 19.1.2
react-server-dom packages version 19.2.1
Ensure that your Next.js deployment includes these patched dependencies. Review dependency lock files to confirm that no vulnerable versions remain in your build.
Additional Security Recommendations
In addition to patching, organizations should deploy web application firewalls capable of identifying exploit patterns associated with React2Shell. Server logs should be monitored for abnormal request behavior, particularly requests targeting server component endpoints.
Security teams should also audit applications to identify unintended exposure of server-side rendering or server component functionality.
Who Should Take Immediate Action
Immediate action is recommended for organizations and developers using:
- React 19 Server Components
- Next.js applications with server-side rendering enabled
- Applications that rely on experimental or production React Server Component features
Even applications that do not explicitly use server components may still bundle vulnerable dependencies and should be reviewed.
References & Attribution
NVD Entry for CVE-2025-36630 – National Vulnerability Database summary
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Final Thoughts
CVE-2025-55182, also known as React2Shell, is one of the most severe vulnerabilities to affect modern web frameworks in recent years. Its unauthenticated exploitation path and broad impact make timely patching and dependency review essential. Organizations that act quickly can significantly reduce the risk of server compromise and data exposure.