React2Shell Remote Code Execution in React Server Components (RSC)

Discovered: December 3rd, 2025 (rapid exploitation observed)

Impacted Tech:  React Server Components (RSC), Next.js using RSC, and frameworks leveraging React’s server-side streaming semantics – including deployments on Vercel, AWS Lambda, and custom Node.js servers.

Summary:
A newly disclosed vulnerability in React Server Components, known as React2Shell (CVE-2025-55182) allows unauthenticated attackers to break out of the React rendering pipeline and execute arbitrary JavaScript on the server. Major cloud providers, including AWS, report active exploitation by China-nexus threat groups, with attacks observed within hours of public proof-of-concept publication. Because RSC is widely deployed across high-traffic Next.js and React platforms, the vulnerability presents broad, high-impact risk for data exfiltration, account takeover, supply-chain–style compromise, and credential theft.

Technical Details:

An unauthenticated attacker can make a malicious POST request and can smuggle a payload that React mistakenly treats as a legitimate server-side action. React ultimately evaluates the attacker’s input using a server-execution mechanism that mirrors vm.runInThisContext, causing the payload to run with the same privileges as the Node.js runtime. In vulnerable builds, this results in direct remote code execution.

Verify Exposure:
1. Determine whether your application uses React Server Components or Next.js server actions.

2. Test the RSC endpoint with a benign malformed server-action payload – servers that fail to reject the request may be exposed.

3. Review logs for unexpected module resolution errors or failed server-action evaluations.

Interim Mitigation Measures:

• Update vulnerable React/Next.js applications to the latest patched versions.
• If immediate patching is not possible, apply temporary WAF or middleware filters to block malformed server-action payloads, and disable RSC/server actions or restrict their exposure behind authentication.

Urgency: Critical. Exploitation is widespread, requires minimal skill, and grants full server execution. Deploy patches or compensating controls immediately.

Additional Resources: