Executive Overview
In early December 2025, the React ecosystem faced one of its most severe security incidents to date. A critical remote code execution vulnerability, tracked as CVE-2025-55182 and now widely referred to as React2Shell, was publicly disclosed by the React core team. The flaw affects React Server Components (RSC) in React 19 and allows unauthenticated attackers to execute arbitrary JavaScript code directly on the server.
The vulnerability carries a CVSS v3 score of 10.0 (Critical) and is officially listed in the National Vulnerability Database. Security researchers and vendors have confirmed proof-of-concept exploitation, and organizations running unpatched versions are considered fully exposed.
React2Shell marks a fundamental inflection point for frontend frameworks. React Server Components are not a browser feature — they are backend execution infrastructure. As such, vulnerabilities in RSC must be treated with the same urgency as remote code execution flaws in APIs, microservices, and cloud control planes.
I. When the React2Shell Vulnerability Occurred
Initial Discovery Phase
According to the React security advisory published on react.dev, the vulnerability was identified during internal security review and external research focused on the React Server Components runtime. While the React team has not publicly disclosed the exact discovery date, coordinated disclosure timelines indicate the issue was identified several weeks prior to public announcement.
The vulnerability was responsibly disclosed to the React core team and investigated under embargo. During this period, maintainers analyzed the impact across React’s server runtime, associated react-server-dom-* packages, and dependent frameworks such as Next.js.
Public Disclosure
React2Shell was publicly disclosed on December 3, 2025. On that date, the React team released:
- An official security advisory
- Patched React releases
- Guidance for framework maintainers
The advisory confirmed that the vulnerability enables unauthenticated server-side remote code execution and urged immediate patching.
II. How React2Shell Was Found
Security Research Into Server Components
React Server Components introduce a novel execution and serialization model via an internal mechanism known as the Flight protocol. This protocol serializes server component trees and streams them to the client for hydration.
Security researchers analyzing this model identified that certain Flight payloads could be influenced by client-controlled input. Further investigation revealed that the server runtime implicitly trusted these payloads and performed deserialization without sufficient validation.
Unsafe Deserialization as the Root Cause
Unsafe deserialization is a well-known vulnerability class documented in the OWASP Top 10. In React2Shell’s case, crafted Flight payloads could manipulate internal execution references, allowing attacker-supplied JavaScript to execute inside the Node.js process.
“This vulnerability effectively turns React Server Components into a remote procedure execution surface when exposed to untrusted input.”
III. Why React2Shell Is a Server-Side Vulnerability
Although React is commonly viewed as a frontend framework, React Server Components execute entirely on the server. Code affected by React2Shell runs:
- Inside the backend Node.js runtime
- With access to environment variables and secrets
- With network access to internal services and databases
As a result, React2Shell is not comparable to client-side vulnerabilities such as cross-site scripting. It is a backend remote code execution vulnerability with full infrastructure impact.
IV. Severity and Exploitation Status
Severity Assessment
- CVE: CVE-2025-55182
- CVSS v3 Score: 10.0 (Critical)
- Attack Vector: Network
- Authentication Required: None
Exploit Availability
The React advisory confirmed the existence of proof-of-concept exploits. Security vendors later reported active scanning for exposed React Server Components endpoints in the days following disclosure.
V. Affected React Versions and Packages
Vulnerable React Versions
- React 19.0.0
- React 19.1.0 – 19.1.1
- React 19.2.0
Affected Server Packages
- react-server-dom-webpack
- react-server-dom-turbopack
- react-server-dom-parcel
VI. Impact on Next.js and the Broader Ecosystem
Next.js enables React Server Components by default and depends directly on React’s server runtime. As a result, Next.js applications running affected React versions are vulnerable, even if developers did not explicitly opt into advanced server-side features.
A separate Next.js CVE was later identified and subsequently marked as a duplicate of CVE-2025-55182, confirming that the root cause lies within React itself.
VII. Official Fix and Patch Timeline
Patched Versions Released
- React 19.0.1
- React 19.1.2
- React 19.2.1 and later
The patches harden deserialization logic in the Flight protocol and enforce stricter validation of server component payloads.
VIII. Recommended Mitigation Steps
Immediate Actions
- Upgrade React to a patched version immediately
- Upgrade Next.js and dependent frameworks
- Invalidate caches and redeploy clean builds
Defense-in-Depth Measures
- Restrict public access to RSC endpoints
- Apply authentication and network controls
- Monitor for malformed Flight protocol payloads
IX. Why React2Shell Is a Major Enterprise Risk
React Server Components frequently have access to secrets, internal APIs, databases, and cloud metadata services. Successful exploitation grants attackers the same privileges as the application server itself.
X. Strategic Implications for the Industry
React2Shell highlights a broader industry trend: frontend frameworks are now backend platforms. Security models must evolve accordingly.
Conclusion
CVE-2025-55182 is a watershed moment for the React ecosystem. Organizations must treat React Server Components as infrastructure, not UI, and apply backend-grade security practices accordingly. Immediate patching and long-term architectural review are essential to prevent future systemic compromise.