[CRITICAL] React2Shell: The CVSS 10.0 Vulnerability Breaking React Server Components

Date: December 20, 2025

Author: ExploitEye Team

Category: Vulnerability Research / Web Security

While the world prepares for the holidays, a storm is brewing in the JavaScript ecosystem. A critical pre-authentication Remote Code Execution (RCE) flaw, dubbed React2Shell (CVE-2025-55182), has been uncovered in React Server Components (RSC).

With a perfect CVSS score of 10.0, this isn’t just a bug—it’s an open door for attackers.

The Vulnerability: What is React2Shell?

The flaw exists in how React Server Components (versions 19.0 through 19.2.0) decode payloads sent to Server Function endpoints. Specifically, the Flight protocol—the mechanism used to stream data between the client and server—fails to properly validate incoming payloads.

An unauthenticated attacker can craft a single malicious HTTP request that, when deserialized by the server, leads to Prototype Pollution and, ultimately, full Remote Code Execution.

Why This is a Nightmare for SecOps

1. Pre-Authentication: No login is required. If your app is on the internet and uses RSC, it’s likely vulnerable.
2. Default Vulnerability: This isn’t caused by bad developer code; it’s a flaw in the React core packages (react-server-dom-webpack, parcel, and turbopack).
3. Active Exploitation: Since December 5th, threat actors have been observed using this exploit to drop coin miners and establish persistence on both Windows and Linux servers.

Impacted Frameworks

If you are using the latest versions of these popular frameworks, you must check your package.json immediately:

• Next.js (Specifically versions 15.x and 16.x Canary)
• React Router
• Waku
• Vite-plugin-rsc

How to Defend (The ExploitEye Checklist)

Stop what you are doing and update. This is not a “patch later” scenario.

• Update React Packages: Move to 19.0.1, 19.1.2, or 19.2.1 immediately.
• Next.js Users: Update to 14.2.35, 15.0.7, or the latest stable release in your branch.
• Monitor Logs: Look for unusual POST requests to /_next/data/… or any server function endpoints containing deeply nested JSON objects or unusual serialized strings.

Final Eye-on-Target

The rapid rise of React2Shell reminds us that as we move more logic to the server for performance, we also move the attack surface there. ExploitEye will be releasing a deep-dive “Lab Report” next week where we recreate this in a sandboxed environment to show exactly how the payload bypasses initial filters.

Stay vigilant. Stay secure.