EXECUTIVE SUMMARY:
A newly disclosed vulnerability known as CVE-2025-55182, along with related issues CVE-2025-1338 and CVE-2025-66478, is being actively weaponized in the wild just hours after public disclosure. It affects implementations of React Server Components in many common build environments. Given the severity and rapid exploitation, the vulnerability demands immediate and urgent attention from any organization using React-based server-side rendering.
The root cause lies in an unsafe deserialization issue within the RSC Flight protocol: certain React server-side components including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack automatically deserialize incoming payloads from HTTP requests. By crafting a malicious payload, an attacker can exploit this flaw to execute arbitrary server-side code and commandeer the host. The vulnerability also affects many deployments of Next.js, since Next.js integrates these vulnerable RSC components by default. Observed exploitation in the wild has included automated scanning, deployment of cryptominers, unauthorized file writes, and attempts to escalate privileges, indicating attackers are not only scanning but actively exploiting the flaw.
The emergence and rapid exploitation of React2Shell underscore how quickly widely used open-source libraries can become attack vectors, especially when they power server-side functionality. Given the severity and the availability of exploit code, any organization running affected versions of React or Next.js must treat this as a top priority. Immediate remediation upgrading to patched versions, auditing exposed endpoints, and implementing protective controls is essential to prevent compromise.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | - |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | - |
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: