CVE-2025-55182 dropped yesterday evening, and predictably, everyone’s losing their minds. Cloudflare rolling out emergency WAF rules, Unit 42 counting nearly a million vulnerable servers, Wiz reporting 40% of cloud infrastructure exposed \u2014 all the usual suspects chiming in. The vulnerability affects default configurations across multiple frameworks including Next.js, React Router, Waku, and others; exploitation is possible in any library that simply supports RSC. Unsafe deserialization of payloads, malicious request leads to RCE. Mass exploitation is inevitable, patch analysis is already underway right now, and half the web runs on React and its frameworks. In other words, it might be time to start applying patches.<\/p>\n
The name alone is catchy: React2Shell<\/a>. But behind the marketing, there’s a genuinely nasty vulnerability earning its perfect 10.0 CVSS score. This isn’t some theoretical edge case requiring exotic configurations \u2014 it hits default setups, requires no authentication, and works over plain HTTP.<\/p>\n The flaw lives in React Server Components’ handling of serialized payloads. Specifically, unsafe deserialization in the React Flight protocol. An attacker crafts a malicious HTTP POST request to any Server Function endpoint, React deserializes it without proper validation, and boom \u2014 arbitrary JavaScript execution on the server with Node.js process privileges.<\/p>\n The technical culprit is the This affects React Server Components packages in versions 19.0, 19.1.0, 19.1.1, and 19.2.0:<\/p>\n Patches are available in versions 19.0.1, 19.1.2, and 19.2.1. Security researcher Lachlan Davidson<\/a> from New Zealand discovered and reported the issue to Meta on November 29, 2025.<\/p>\n For Next.js using App Router, the vulnerability is present in versions >=14.3.0-canary.77, >=15, and >=16. Patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5. Initially assigned CVE-2025-66478, it was later rejected by NIST as a duplicate of CVE-2025-55182.<\/p>\n But wait, there’s more. Any library bundling RSC is potentially vulnerable: Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, Waku. The ecosystem damage extends far beyond just React and Next.js.<\/p>\n Wiz’s analysis<\/a> found 39% of cloud environments have instances vulnerable to this CVE. Palo Alto Networks Unit 42 identified over 968,000 servers running affected frameworks. That’s not vulnerable repositories or codebases \u2014 that’s actual servers exposed to the internet, ready to be exploited.<\/p>\n Justin Moore from Unit 42 nailed it: “This is a master key exploit, succeeding not by crashing the system, but by abusing its trust in incoming data structures. The system executes the malicious payload with the same reliability as legitimate code because it operates exactly as intended, but on malicious input.”<\/p>\n Translation: Your application isn’t broken. It’s doing exactly what it’s supposed to do. The problem is what you’re asking it to handle.<\/p>\n Cloud providers and security vendors moved fast. Cloudflare deployed WAF rules<\/a> protecting all customers (free and paid) as long as React traffic is proxied through their service. Akamai<\/a>, AWS<\/a>, Fastly<\/a>, and Google Cloud<\/a> all rolled out similar protections.<\/p>\n Multiple security firms published detailed analyses: Endor Labs<\/a>, Miggo Security<\/a>, VulnCheck<\/a>, Aikido<\/a>, and OX Security<\/a> all emphasized the same point: no special setup required, exploitable without authentication, affects default configurations.<\/p>\n If you’re running React Server Components or Next.js with App Router:<\/p>\n Run the following in your terminal:<\/p>\nrequireModule<\/code> function in the react-server-dom-webpack<\/code> package. By weaponizing vm.runInThisContext<\/code>, attackers can force React to execute malicious code supplied in the payload. Upwind’s deep dive<\/a> explains that while React itself doesn’t expose the vulnerable endpoint, Next.js absolutely does, turning theoretical vulnerability into real remote attack surface.<\/p>\nThe Blast Radius<\/h2>\n
\n
react-server-dom-webpack<\/code><\/li>\nreact-server-dom-parcel<\/code><\/li>\nreact-server-dom-turbopack<\/code><\/li>\n<\/ul>\nThe Industry Scramble<\/h2>\n
What to Do Right Now<\/h2>\n
\n
How to Patch?<\/h3>\n