Unauthenticated RSC Bugs in React, Next.js Enable Remote Code Execution
A significant security vulnerability affecting React Server Components (RSC) has been revealed, allowing for potential remote code execution. This flaw, identified as CVE-2025-55182, carries the highest possible CVSS score of 10.0 and has been codenamed React2shell. The React Team issued a warning regarding this critical issue, which can be triggered via unauthenticated access to Server Function endpoints.
Details of the Vulnerability
The React Team indicated that this vulnerability arises from improper decoding of payloads sent to React Server Function endpoints. Importantly, apps that do not utilize React Server Function endpoints may still be at risk if they support React Server Components.
According to cloud security firm Wiz, the flaw represents a case of logical deserialization, where an attacker could exploit unsafe handling of serialized payloads. Malicious HTTP requests, when processed by React, can execute arbitrary JavaScript code on the server.
Impacted Versions
The vulnerability impacts the following npm package versions:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Specifically, versions 19.0, 19.1.0, 19.1.1, and 19.2.0 are affected. The patched versions are 19.0.1, 19.1.2, and 19.2.1.
Related Issues in Next.js
The problem also impacts Next.js applications utilizing the App Router with the CVE identifier CVE-2025-66478, which similarly carries a CVSS score of 10.0, affecting versions >=14.3.0-canary.77, >=15, and >=16. Available patched versions include 16.0.7 and various 15.x.x updates.
Broader Implications
This vulnerability is not limited to React and Next.js. Other libraries that integrate RSC may also face similar risks, including Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku.
Exploitation Potential
According to security experts from Endor Labs, Miggo Security, and VulnCheck, exploiting this flaw does not require specific configurations or login credentials. An attacker merely needs network access to send malicious requests to exposed Server Function endpoints.
Wiz reported that 39% of cloud environments contain vulnerable instances of either CVE-2025-55182 or CVE-2025-66478, highlighting the widespread nature of this threat.
Recommended Actions
In response to this vulnerability, it is advised to:
- Implement Web Application Firewall (WAF) rules if possible.
- Monitor HTTP traffic to Server Function endpoints for anomalies.
- Temporarily restrict network access to affected applications.
Cloudflare has announced new safeguards in their WAF solution to counter CVE-2025-55182, providing protection for all customers with proxied React application traffic.
The Expert Perspective
Justin Moore from Palo Alto Networks highlighted the exploit’s critical nature, emphasizing that it acts like a “master key” by taking advantage of the application’s trust in incoming data. Affected systems may execute malicious payloads as if they were legitimate, making this vulnerability especially dangerous.
Given the severity of these vulnerabilities, immediate attention is warranted. Users are strongly encouraged to apply the necessary patches to protect their applications optimally.
