akinwande.
Back to Blog

The React2Shell Crisis: A Critical Vulnerability Rocking the Web

December 12, 2025
3 min read
By Akinwande
reactnextrsc

React2Shell: Critical React Server Components Vulnerability and the New December 11 Update

Date: December 12, 2025

On December 3, 2025, a severe security flaw in React Server Components (RSC) — part of the React 19 ecosystem — was publicly disclosed. Known as “React2Shell”, this vulnerability quickly became one of the most significant security incidents to affect modern web development frameworks.

What the Vulnerability Is

Tracked as CVE-2025-55182, the flaw targets how React handles incoming requests within Server Components. It stems from unsafe deserialization of data sent from the client, allowing attackers to execute arbitrary code on the server.

Key Characteristics

  • Remote Code Execution (RCE): Attackers can compromise a server with specially crafted HTTP requests.

  • No authentication required: The exploit works without credentials.

  • Root cause: Unsafe deserialization of client-controlled data in RSC.

This flaw received a CVSS score of 10.0, the highest level of severity.

Why It Matters

React is one of the most widely used web technologies globally. Frameworks such as Next.js rely heavily on React Server Components for server-side rendering and hybrid page behavior.

Because the affected code is part of the default setup for many frameworks:

  • Many applications are vulnerable even without custom configurations.

  • Projects using RSC through libraries, plugins, or experimental features are also exposed.

This creates an unusually large attack surface across the ecosystem.

Active Exploitation

Security groups reported active exploitation within hours of the disclosure. Attackers — including botnets and organized scanning groups — began probing servers for exposed RSC endpoints.

Cloud providers also detected widespread exploitation attempts across multiple regions, making rapid patching essential.

Follow-Up Issues

After the initial fix, the React team and independent researchers identified additional, related vulnerabilities inside RSC:

  • Denial-of-Service (DoS): Crafted payloads can force server processes into infinite loops, consuming CPU and disrupting service.

  • Source code exposure risks: Under certain conditions, internal project code can be leaked through server function endpoints.

These issues are less severe than the original RCE bug but still require updates and monitoring.

What You Should Do

If you maintain a React or React-based application, take the following actions immediately:

Immediate Actions

  1. Check whether your project uses React Server Components.
    If you use SSR, Next.js, Vite RSC plugins, or similar tools, assume you may be affected.

  2. Upgrade to the latest patched versions of React and any framework that relies on RSC.

  3. Implement protective measures, including:

    • Web Application Firewalls (WAF) to block malicious request patterns.

    • Infrastructure scans to detect any exposed RSC endpoints.

  4. Monitor official security advisories from React, Next.js, and hosting providers.

Best Practices Going Forward

  • Keep dependencies consistently updated.

  • Integrate automated vulnerability scanning into CI/CD pipelines.

  • Audit libraries that wrap, transpile, or extend RSC behavior.

New Developments as of December 11, 2025

On December 11, 2025, React maintainers disclosed additional vulnerabilities related to but separate from the initial RCE flaw. These issues were uncovered during stress-testing and validation of the original patch.

Newly Documented Issues

  • DoS vulnerability: Specific payloads can trigger infinite loops and cause severe CPU exhaustion.

  • Incomplete patch edge case: A related bug with similar DoS impact, caused by partial fixes in certain versions.

  • Source code exposure: Some crafted requests may leak internal source code under specific circumstances.

While these new issues do not allow remote code execution, they still pose significant risks by enabling service disruption and information leakage.

Final Takeaway

The original React2Shell (CVE-2025-55182) vulnerability represents one of the most serious security issues in React’s history, enabling unauthenticated remote code execution. The follow-up disclosures on December 11 revealed additional DoS and information-exposure risks that further highlight the need for:

  • Rapid patching

  • Proactive dependency management

  • Continuous monitoring of critical open-source infrastructure

For teams relying on React Server Components or frameworks built on top of them, these events underscore the importance of treating security as a first-class concern.