Which frameworks are affected by the RSC RCE vulnerability?

Next.js (versions 15.x and 16.x with App Router), React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk are all affected. These frameworks either depend on, have peer dependencies for, or include the vulnerable React packages. Next.js users on versions 14.x should upgrade to 14.2.35; users on 15.x should upgrade to versions 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.10, or 15.5.10.

Was CVE-2025-55182 exploited in the wild?

Yes. Within hours of the public disclosure on December 3, 2025, AWS threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. The vulnerability was monitored through AWS MadPot honeypot infrastructure. CISA has also added it to the Known Exploited Vulnerabilities Catalog.

CVE-2025-55182: Critical React Server Components RCE Guide

Q: How do I fix CVE-2025-55182?

Upgrade React to versions 19.0.1, 19.1.2, or 19.2.1 (whichever corresponds to your current minor version). For Next.js, upgrade to the latest patched version in your release line: 14.2.35 (for 14.x), 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.10, or 15.5.10. Do not rely on hosting provider mitigations — patch your application immediately.

Q: What other related RSC vulnerabilities exist?

The React team has disclosed several follow-up vulnerabilities: CVE-2025-55184 and CVE-2025-67779 (Denial of Service, CVSS 7.5), CVE-2025-55183 (Source Code Exposure, CVSS 5.3), and CVE-2026-23864 (Denial of Service, CVSS 7.5, disclosed January 26, 2026). All patches are included in the same React updates (19.0.1, 19.1.2, 19.2.1).

⚠ CRITICAL — Immediate action required

If you are running React 19.0.0–19.2.0 with Server Components, or Next.js 15.x/16.x with App Router, your application is vulnerable to unauthenticated remote code execution. Patch immediately. Threat groups are actively scanning for and exploiting this vulnerability.

TL;DR — What happened

CVE-2025-55182 (React2Shell) — CVSS 10.0, pre-auth RCE via unsafe deserialization in React Server Components
Affects React 19.0.0–19.2.0 and Next.js 15.x/16.x with App Router
Fixed versions: React 19.0.1, 19.1.2, 19.2.1 and Next.js 14.2.35–15.5.10
Discovered by Lachlan Davidson (Nov 29, 2025); disclosed Dec 3, 2025
Exploited within hours by China-nexus groups Earth Lamia and Jackpot Panda
CISA Known Exploited Vulnerabilities catalog — confirmed active exploitation
Even apps without explicit Server Functions are vulnerable if RSC is enabled

Vulnerability Overview

On December 3, 2025, the React team disclosed CVE-2025-55182, a critical pre-authentication remote code execution vulnerability in React Server Components (RSC). Assigned a CVSS score of 10.0 — the maximum possible severity — the vulnerability was quickly nicknamed "React2Shell" by security researchers.

The vulnerability was discovered by security researcher Lachlan Davidson and responsibly reported to the React team on November 29, 2025. Coordinated disclosure involved Vercel, Meta (Facebook), and major cloud providers including AWS, enabling advance patching and protective measures before the public announcement.

CVE-2025-66478 was initially allocated as a separate CVE ID but has since been rejected as a duplicate of CVE-2025-55182. There is no separate vulnerability — the original CVE covers the full scope.

Key fact: The React Server Components vulnerability allows a remote attacker to execute arbitrary code on the server without any authentication. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H — network-based, low complexity, no privileges required, no user interaction, and with a scope change that compromises confidentiality, integrity, and availability completely.

Technical Root Cause

React Server Functions allow a client component to call a function that executes on the server. React provides integration points and tools that frameworks and bundlers use to bridge client and server code. When a client calls a Server Function, React translates the request into HTTP POST requests to a server endpoint. On the server, React deserializes the incoming payload and translates it into the appropriate function call, returning data to the client.

The vulnerability exists in how React decodes and deserializes payloads sent to Server Function endpoints. The deserialization process does not properly validate or sanitize the incoming data, allowing an attacker to craft a malicious HTTP request that, when processed by React's deserialization logic, achieves arbitrary code execution on the server.

// Simplified exploit flow (conceptual)
// 1. An attacker sends a crafted HTTP POST to /server-function-endpoint
// 2. React's deserializer processes the malicious payload
// 3. Unsafe deserialization triggers arbitrary code execution
// 4. Attacker gains a shell on the server — hence "React2Shell"

POST /_rsc/server-functions HTTP/1.1
Host: vulnerable-app.com
Content-Type: application/octet-stream

[mAlformed Payload with embedded serialized commands]

Critically, even if your application does not explicitly implement any Server Function endpoints, it may still be vulnerable if your application supports React Server Components. The Server Function endpoint is automatically registered by the RSC infrastructure, and the deserialization code is part of the core react-server-dom-* packages.

Affected Packages and Versions

React Packages

The following packages in React 19.0.0–19.2.0 are vulnerable:

react-server-dom-webpack — the Webpack integration for RSC
react-server-dom-parcel — the Parcel integration for RSC
react-server-dom-turbopack — the Turbopack integration for RSC

Affected Frameworks

Any framework that depends on, has peer dependencies for, or bundles the vulnerable React packages is affected:

Next.js — versions 15.x and 16.x with App Router (the most widely deployed target)
React Router — affected due to its RSC support
Waku — a minimal React framework with RSC support
@parcel/rsc — Parcel's RSC plugin
@vitejs/plugin-rsc — Vite's RSC plugin
rwsdk — a React Server Components SDK

Complete CVE Timeline

CVE ID	Type	CVSS	Disclosure	Description
CVE-2025-55182	RCE	10.0	Dec 3, 2025	Pre-auth remote code execution via unsafe deserialization in RSC
CVE-2025-66478	—	—	Dec 3, 2025	REJECTED — duplicate of CVE-2025-55182
CVE-2025-55184	DoS	7.5	Dec 3, 2025	Denial of Service vulnerability in React Server Components
CVE-2025-67779	DoS	7.5	Dec 3, 2025	Additional DoS vector in React Server Components
CVE-2025-55183	Info Leak	5.3	Dec 3, 2025	Source code exposure via React Server Components
CVE-2026-23864	DoS	7.5	Jan 26, 2026	Follow-up DoS vulnerability in React Server Components

Real-World Exploitation

Within hours of the public disclosure on December 3, 2025, AWS threat intelligence teams observed active exploitation attempts against CVE-2025-55182. Multiple China state-nexus threat groups were involved:

Earth Lamia — a known China-affiliated APT group with a history of exploiting web application vulnerabilities for initial access
Jackpot Panda — a China-nexus cyber threat group known for financially motivated operations and espionage
Multiple previously untracked threat clusters — demonstrating that the vulnerability's exploitation was quickly commoditized in the cybercriminal ecosystem

AWS monitored the exploitation through its MadPot honeypot infrastructure, which simulates vulnerable applications to observe threat actor behavior. AWS deployed automated protections through its Sonaris active defense system and AWS WAF managed rules (AWSManagedRulesKnownBadInputsRuleSet version 1.24+).

The CISA Known Exploited Vulnerabilities Catalog lists CVE-2025-55182, confirming that U.S. federal agencies and the broader cybersecurity community recognize this as an actively exploited vulnerability requiring immediate patching.

The exploitation speed is significant: State-sponsored groups operationalizing a zero-day exploit within hours of disclosure requires advance preparation. This suggests that threat actors had reverse-engineered the fix before the public announcement, or independently discovered the vulnerability and were waiting for the disclosure to begin mass scanning.

How Attackers Exploit This

The exploitation pattern for React2Shell follows a predictable playbook:

Scanning: Attackers scan the internet for Next.js and React applications with RSC endpoints. Common indicators include /_rsc/ and /server-functions endpoints.
Version fingerprinting: The attacker identifies the React version by probing for known files, response headers, or error message patterns specific to React 19.x.
Crafted payload: The attacker sends a malicious HTTP POST request to the Server Function endpoint with a deserialization payload that triggers code execution.
Shell access: Once code execution is achieved, the attacker typically deploys a web shell, establishes persistence, exfiltrates data, or uses the compromised server as a pivot point for lateral movement.

Mitigation Steps

1. Patch React Immediately

Upgrade to the fixed React versions based on your current minor version:

# If you're on React 19.0.x
npm install [email protected] [email protected]

# If you're on React 19.1.x
npm install [email protected] [email protected]

# If you're on React 19.2.x
npm install [email protected] [email protected]

2. Patch Next.js

If you're using Next.js with App Router, upgrade to the patched version for your release line:

# Next.js 14.x users (including 13.x migrations)
npm install [email protected]

# Next.js 15.x users
npm install [email protected]   # Latest 15.x patch
# Or match your exact release:
npm install [email protected]    # For 15.0.x
npm install [email protected]   # For 15.1.x
npm install [email protected]    # For 15.2.x
npm install [email protected]    # For 15.3.x
npm install [email protected]   # For 15.4.x
npm install [email protected]   # For 15.5.x

# Next.js 16.x users
npm install [email protected]
npm install [email protected]

3. Verify the Fix

After updating, verify your React version is patched:

# Check React version
npm ls react react-dom

# Check react-server-dom-webpack version
npm ls react-server-dom-webpack

# The fixed versions are:
# - react: 19.0.1, 19.1.2, or 19.2.1
# - react-server-dom-*: same versions as react

4. Temporary WAF Mitigations

If you cannot patch immediately, deploy WAF rules to block known exploit patterns:

AWS WAF: Enable AWSManagedRulesKnownBadInputsRuleSet version 1.24 or higher
Block external access to /_rsc/* and Server Function endpoints on publicly facing load balancers (though this may break legitimate functionality)
Rate-limit requests to Server Function endpoints to slow down exploitation attempts

⚠ Warning: WAF is not a substitute for patching

Hosting provider mitigations and WAF rules provide temporary protection and should not be relied upon long-term. The only complete fix is upgrading to the patched React versions. Attackers continuously adapt their exploit payloads to bypass WAF rules.

5. Post-Patch Security Audit

After patching, perform a security review of your application:

Review server logs for unusual POST requests to Server Function endpoints in the period before patching
Check for unauthorized file modifications, new user accounts, or suspicious processes on the server
Rotate any secrets and API keys that may have been exposed, especially if your application was running an unpatched version during the active exploitation window
Review and update your incident response plan to account for supply-chain vulnerabilities in JavaScript frameworks

Did This Affect AWS Services?

According to AWS, this vulnerability does not affect AWS services themselves. However, customers running React or Next.js applications in their own environments — whether on Amazon EC2, containers (ECS/EKS), or serverless platforms — must update their applications immediately.

AWS has deployed multiple layers of automated protection through their Sonaris active defense system, AWS WAF managed rules, and perimeter security controls, but these measures protect the AWS infrastructure — they do not protect customers' self-managed applications from exploitation.

Follow-Up Vulnerabilities

Following the initial RCE disclosure, the React team identified and patched several related vulnerabilities affecting the same packages. All are fixed by upgrading to React 19.0.1, 19.1.2, or 19.2.1:

CVE-2025-55184 (CVSS 7.5) and CVE-2025-67779 (CVSS 7.5) — Denial of Service vectors that allow attackers to crash the server via crafted RSC payloads
CVE-2025-55183 (CVSS 5.3) — Source Code Exposure that allows attackers to read server-side source code through RSC endpoints
CVE-2026-23864 (CVSS 7.5) — disclosed January 26, 2026 — an additional DoS vector discovered during ongoing security review of the RSC implementation

The discovery of these follow-up vulnerabilities over several months underscores the complexity of the React Server Components attack surface. Organizations running React RSC should maintain a regular patch cadence and monitor the React security advisory page for future disclosures.

Lessons for the Industry

The React2Shell incident highlights several important lessons for the web development community:

Server-side deserialization is dangerous. Unsafe deserialization vulnerabilities have been a known class of security bugs for decades. Any code that deserializes untrusted input should treat it as a critical attack surface.
RSC adds a new attack surface. The shift toward server components in React, Vue (Nuxt), and other frameworks introduces new server-side attack vectors that traditional client-side vulnerability scanning may miss.
Patch management must be agile. With state-sponsored groups exploiting vulnerabilities within hours, the window for manual intervention is effectively zero. Automated dependency update pipelines are no longer optional.
Supply chain security matters. The vulnerability propagated through framework dependencies — Next.js, React Router, and others were affected because of their dependency on the vulnerable React packages. Knowing your dependency graph is a security requirement, not just a maintenance convenience.

FAQ

What is CVE-2025-55182 (React2Shell)?

CVE-2025-55182, nicknamed React2Shell, is a pre-authentication remote code execution vulnerability in React Server Components. It has a CVSS score of 10.0 (maximum severity). The vulnerability stems from unsafe deserialization of payloads sent to React Server Function endpoints, allowing an attacker to execute arbitrary code on the server without any authentication.

Which React versions are affected?

React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 are affected. The vulnerable packages are react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Any application using these packages with React Server Components enabled is vulnerable — even if it doesn't explicitly implement Server Function endpoints.

Which frameworks are affected?

Next.js (15.x and 16.x with App Router), React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk are all affected. Next.js users on 14.x should upgrade to 14.2.35; 15.x users should upgrade to 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.10, or 15.5.10.

Was this exploited in the wild?

Yes. Within hours of the public disclosure on December 3, 2025, AWS threat intelligence observed active exploitation by China state-nexus groups Earth Lamia and Jackpot Panda. CISA has listed it in the Known Exploited Vulnerabilities Catalog. AWS monitored the activity through MadPot honeypot infrastructure.

How do I fix CVE-2025-55182?

Upgrade React to 19.0.1, 19.1.2, or 19.2.1 (whichever corresponds to your current minor version). For Next.js, upgrade to the latest patched version in your release line: 14.2.35 (14.x), or 15.0.8–15.5.10 (15.x). Do not rely on hosting provider mitigations — patch your application immediately.

What is CVE-2025-66478?

CVE-2025-66478 has been marked as REJECTED. It is a duplicate of CVE-2025-55182. There is no separate vulnerability — the original CVE-2025-55182 entry covers the React Server Components RCE vulnerability completely.

Are there other related RSC vulnerabilities?

Yes. The React team disclosed CVE-2025-55184 and CVE-2025-67779 (DoS, CVSS 7.5), CVE-2025-55183 (Source Code Exposure, CVSS 5.3), and CVE-2026-23864 (DoS, CVSS 7.5, January 2026). All are fixed by the same React updates (19.0.1, 19.1.2, 19.2.1). RCE vulnerabilities in npm packages are not limited to React — see my analysis of the critical protobuf.js CVE-2026-41242 (CVSS 9.8) code injection vulnerability for another example of how a single unsanitized string interpolation can compromise thousands of applications.

Summary

CVE-2025-55182 (React2Shell) represents one of the most severe vulnerabilities ever discovered in the React ecosystem. A CVSS 10.0 pre-authentication RCE — exploited by state-sponsored groups within hours of disclosure — demands immediate attention from every organization running React Server Components in production.

The good news is that the fix is straightforward: upgrade to React 19.0.1, 19.1.2, or 19.2.1. The react-server-dom-* packages and all affected frameworks (Next.js, React Router, Waku, and others) are patched. The React team has handled the disclosure responsibly, AWS has deployed protective measures, and the vulnerability is well-documented.

The broader lesson is that server-side deserialization vulnerabilities remain a critical class of security bugs, and the growing adoption of server components in modern JavaScript frameworks expands the attack surface in ways that many development teams have not yet fully accounted for.

CVE-2025-55182: Critical React Server Components RCE
React2Shell — Exploit, Impact, and Mitigation Guide

⚠ CRITICAL — Immediate action required

TL;DR — What happened

Vulnerability Overview

Technical Root Cause

Affected Packages and Versions

React Packages

Affected Frameworks

Complete CVE Timeline

Real-World Exploitation

How Attackers Exploit This

Mitigation Steps

1. Patch React Immediately

2. Patch Next.js

3. Verify the Fix

4. Temporary WAF Mitigations

⚠ Warning: WAF is not a substitute for patching

5. Post-Patch Security Audit

Did This Affect AWS Services?

Follow-Up Vulnerabilities

Lessons for the Industry

FAQ

Summary

Need help with your web development project?

CVE-2025-55182: Critical React Server Components RCEReact2Shell — Exploit, Impact, and Mitigation Guide

⚠ CRITICAL — Immediate action required

TL;DR — What happened

Vulnerability Overview

Technical Root Cause

Affected Packages and Versions

React Packages

Affected Frameworks

Complete CVE Timeline

Real-World Exploitation

How Attackers Exploit This

Mitigation Steps

1. Patch React Immediately

2. Patch Next.js

3. Verify the Fix

4. Temporary WAF Mitigations

⚠ Warning: WAF is not a substitute for patching

5. Post-Patch Security Audit

Did This Affect AWS Services?

Follow-Up Vulnerabilities

Lessons for the Industry

FAQ

Summary

Need help with your web development project?

CVE-2025-55182: Critical React Server Components RCE
React2Shell — Exploit, Impact, and Mitigation Guide