THE CORTEX PROTOCOL
🏠Home🚨Threats🧠Insights📚Books
🚨 CRITICALintel

CVE-2025-55182 React2Shell - Sonatype RCE Deep Dive

Category:Threat Alerts
CVE-2025-55182, dubbed React2Shell, remains a critical deserialization RCE in React Server Components impacting React 19.0.0–19.2.0 and Next.js App Router releases, with Sonatype confirming trivial unauthenticated exploitation allowing full remote code execution. What's concerning: like Log4Shell, this is fundamentally a deserialization-of-untrusted-data flaw where React's server-side request decoding unsafely deserializes attacker-controlled inputs. Even apps not explicitly exposing Server Function endpoints are vulnerable if they support React Server Components. The vulnerable packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) perform unsafe property access when reconstructing server function metadata—a single crafted HTTP payload injects metadata pointing to dangerous prototype-chain properties, exposing access to bundled modules for RCE with no authentication or user interaction required. Given React and Next.js collectively see nearly 1 billion weekly downloads on npm, the scope is massive. Patched versions: React 19.0.1/19.1.2/19.2.1, Next.js 15.0.5+.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: React2Shell gives attackers a near-frictionless path to pre-auth remote code execution on modern JavaScript web backends, endangering customer portals, multi-tenant SaaS platforms, and internal tools built on React Server Components and Next.js. Failure to rapidly patch leaves organizations exposed to large-scale web app compromise, data theft, and potential ransomware operations.

Strategic Intelligence Guidance

  • Inventory all applications using React 19 and server components or Next.js App Router, and upgrade React to 19.0.1, 19.1.2, or 19.2.1 and Next.js to fixed builds such as 14.3.0-canary.88 and 16.0.7 as a priority change.
  • Enable or tune WAF rulesets for React2Shell patterns across public-facing applications, monitoring for blocked Flight protocol payloads, unusual RSC headers, and serialized metadata anomalies.
  • Review CI/CD pipelines and lockfile configurations to ensure vulnerable RSC packages are not reintroduced via transitive dependencies, enforcing SCA-based policies for CVE-2025-55182.
  • Implement runtime monitoring for suspicious process creation, unexpected outbound connections, and new binaries on React and Next.js servers that could indicate successful exploitation and post-compromise activity.

CVEs

CVE-2025-55182CVE-2025-66478

Vendors

MetaReactVercelNext.jsSonatype

Threats

React2Shell RCEReact Server Components deserialization flaw

Targets

web applicationsNext.js servicesReact server-side components

Tags

#cve-2025-55182#react2shell#react#next-js#remote-code-execution#web-application-security#vulnerabilities-exploits
Intelligence Source: CVE-2025-55182 React2Shell - Sonatype RCE Deep Dive | Dec 5, 2025
More stories in Vulnerabilities & Exploits