CVE-2025-55182 (React2Shell) affects React Server Components in React 19.0–19.2 and frameworks like Next.js 15.x–16.0, enabling unauthenticated remote code execution via unsafe deserialization in server function endpoints mapped to T1190 and T1203. Vulnerable packages include react-server-dom-parcel, -turbopack, and -webpack before fixed versions 19.0.1, 19.1.2, and 19.2.1, and multiple Next.js App Router releases below 16.0.7. Security researchers warn that exploitation allows attackers to run arbitrary code on React servers, download C2 frameworks such as Sliver, and fully compromise application backends similarly to Log4Shell-level exposures. Even applications that do not explicitly use React Server Functions may be exploitable if React Server Components are supported, dramatically expanding the potential attack surface across internet-facing React and Next.js deployments. Cloudflare has already deployed managed WAF rules globally to block known exploit patterns for CVE-2025-55182, while developers are urged to urgently upgrade both React and Next.js to patched versions. Organizations that rely heavily on React for customer portals, SaaS platforms, or internal tools face elevated risk from pre-auth RCE against API backends and microservices. Business impact includes complete takeover of web applications, theft or tampering of customer data, deployment of ransomware or cryptominers on servers, and potential GDPR or PCI-DSS violations if sensitive data is exposed. Although widespread exploitation has not yet been confirmed, experts recommend treating React2Shell as a more-than-critical zero-day and rapidly hunting for vulnerable components. Mitigation requires immediate upgrades to React 19.0.1/19.1.2/19.2.1 and fixed Next.js versions such as 16.0.7, alongside enabling WAF protections with specific React2Shell rules where available. Security teams should inventory all React Server Components usage, apply virtual patching for exposed endpoints, and monitor for suspicious process execution or outbound connections from React servers that could indicate successful RCE.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: React2Shell gives attackers pre-auth remote code execution against high-value web applications built on React and Next.js, enabling data theft, account takeover, and ransomware deployment that can quickly escalate into material incidents and regulatory exposure. Organizations with customer-facing portals, fintech platforms, and multi-tenant SaaS services face especially high risk if they delay patching. Technical Context: CVE-2025-55182 abuses unsafe deserialization in React Server Components, allowing crafted HTTP requests to trigger server-side code execution mapped to T1190 and T1203. Even instances not explicitly using server functions may be exploitable when RSC support is enabled, requiring both rapid dependency upgrades and interim WAF-based virtual patching to contain risk.
⚡Strategic Intelligence Guidance
- Inventory all React and Next.js applications, prioritize those using React Server Components, and upgrade to patched React 19.x and Next.js builds within emergency-change windows.
- Enable or tune WAF rulesets for CVE-2025-55182 across internet-facing applications, monitoring for blocked exploit attempts and anomalous serialized payloads in HTTP traffic.
- Hunt for indicators of RCE on React hosts by reviewing process creation logs, new binaries, outbound C2 connections, and suspicious changes in deployment pipelines.
- Embed software composition analysis and dependency scanning in CI/CD to flag vulnerable React RSC and Next.js versions before production release and enforce upgrade SLAs.
Vendors
MetaReactVercelNext.jsCloudflare
Threats
React2Shellremote code execution
Targets
web applicationsSaaS platformsNext.js services