Blackfort Technology
Critical Vulnerability · CVSS 10.017 July 2026·Christian Gebhardt

React2Shell — CVE-2025-55182: Critical Unauthenticated RCE in Next.js via React Server Components

A single crafted HTTP request is enough: CVE-2025-55182 (CVSS 10.0) gives any attacker a shell on your Node.js server — no authentication, no user interaction required. Affects Next.js 15/16 and React 19. No workaround exists; only patching helps.

Follow Blackfort on LinkedIn

Security incidents, technical analyses, and real-world insights — delivered directly to your LinkedIn feed.

Follow
React2Shell CVE-2025-55182 — Critical RCE in Next.js / React Server Components
At a Glance
  • CVE-2025-55182 (merged: CVE-2025-66478) — CVSS 10.0, CWE-502
  • Unauthenticated Remote Code Execution via React Server Components (RSC) Flight Protocol
  • Affected: React 19.0–19.2.0, Next.js 15.0.0–15.5.6 & 16.0.0–16.0.6 (App Router)
  • Not affected: Pages Router, Edge Runtime, Next.js 13/14 stable
  • CISA KEV listed 5 December 2025 — active exploitation confirmed
  • No workaround — only upgrading to a patched version helps

Video Analysis

Background: What is React2Shell?

React Server Components (RSC) introduced a powerful new programming model — but also a new attack surface. The RSC Flight Protocol serialises server-side function references and passes them between client and server over HTTP. According to the Next.js advisory and Akamai Research, CVE-2025-55182 exploits insecure deserialisation in the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages: a crafted payload submitted to any Server Action endpoint causes the Node.js process to execute attacker-controlled code.

No authentication, no session cookie, no user interaction — a single HTTP POST is sufficient. The vulnerability was discovered by Lachlan Davidson and disclosed responsibly. Public PoCs appeared within hours of the coordinated release on 3 December 2025; in-the-wild exploitation was confirmed by Palo Alto Unit 42 the very next day.

Affected Versions

PackageVulnerablePatched
react-server-dom-webpack19.0.0, 19.1.0, 19.1.1, 19.2.0≥ 19.0.1 / 19.1.2 / 19.2.1
react-server-dom-parcel19.0.0, 19.1.0, 19.1.1, 19.2.0≥ 19.0.1 / 19.1.2 / 19.2.1
react-server-dom-turbopack19.0.0, 19.1.0, 19.1.1, 19.2.0≥ 19.0.1 / 19.1.2 / 19.2.1
next15.0.0–15.5.6, 16.0.0–16.0.615.3.6, 15.5.7, 16.0.7 …

Pages Router, Edge Runtime, and Next.js 13/14 stable branches are not affected. Source: Next.js Security Advisory / GHSA-9qr9-h5gf-34mp.

Attack Chain (Detection-Oriented)

According to Palo Alto Unit 42 and Oligo Security, the attack path is straightforward:

  1. Attacker identifies a Next.js App Router application (App Router exposes Server Actions by default on Next.js 15/16).
  2. A single crafted HTTP POST is sent to a Server Action endpoint, embedding a malicious serialised payload in the RSC Flight Protocol body.
  3. The vulnerable react-server-dom-* deserialiser resolves the payload to a callable server-side function — executing attacker-controlled code in the Node.js process.
  4. Post-exploitation payloads observed in the wild include Cobalt Strike, XMRig cryptominers, VShell, EtherRAT, KSwapDoor, and persistent web shells (per Unit 42 and Microsoft Security Blog).
No Workaround Available

According to the Vercel/Next.js advisory, there is no configuration-based workaround. WAF rules can reduce risk but do not fully block exploitation given the flexibility of the RSC Flight Protocol. The only reliable mitigation is upgrading to a patched package version.

Lab Reproduction

We reproduced the vulnerability in an isolated lab environment using synthetic data only. The target application used the exact versions flagged by the SBOM scan:next@15.3.0, react@19.1.0, react-dom@19.1.0.

Lab — Reverse Shell via CVE-2025-55182 (isolated environment, synthetic data)
# Attacker machine — listener
nc -lvnp 4444

# Single HTTP POST to target Server Action endpoint
curl -X POST https://[lab-target]/api/action \
  -H 'Content-Type: text/x-component' \
  --data-binary @payload.rsc

# ──────────────────────────────────────────────
# Target Node.js process — confirmed shell
# ──────────────────────────────────────────────
[*] Connection received from [lab-target]:43201
$ id
uid=1000(node) gid=1000(node) groups=1000(node)
$ hostname
lab-nextjs-target
$

Reproduced in an isolated lab. No real systems, users, or data were involved. The underlying PoC by Palo Alto Unit 42 is publicly available under the MIT licence (GHSA-9qr9-h5gf-34mp).

Detection via SBOM — Before the First Request Hits

The most powerful detection mechanism does not fire at runtime — it fires before the vulnerable package is ever deployed. A CycloneDX SBOM generated from the application'spackage-lock.jsonand analysed by Dependency-Track against OSV / GitHub Advisory / NVD databases flags GHSA-9qr9-h5gf-34mp (CRITICAL) fornext@15.3.0— plus 25 additional findings for the same package.

Dependency-Track — SBOM Scan Result (next@15.3.0)
[CRITICAL] next@15.3.0 — GHSA-9qr9-h5gf-34mp  (CVE-2025-55182 / CVE-2025-66478)
           Unauthenticated RCE via RSC deserialization — fix: next@15.3.6

[HIGH]     next@15.3.0 — GHSA-267c-6grr-h53f
[HIGH]     next@15.3.0 — GHSA-26hh-7cqf-hhc6
[HIGH]     next@15.3.0 — GHSA-36qx-fr4f-26g5
           ... (22 further findings)

[MEDIUM]   postcss@8.4.31 — GHSA-qx2v-qp2m-jg93

Total: 26 finding(s) — 1 CRITICAL, 9 HIGH, 15 MEDIUM, 2 LOW
Policy gate: BUILD BLOCKED

The SBOM policy gate blocked the build automatically — without any runtime alert, WAF rule, or EDR signal. This is the core principle of supply chain security: shift the detection left, into the build pipeline, where fixing the issue is cheapest.

Threat Landscape

According to AWS Security Blog and Unit 42, exploitation began on 4 December 2025 — one day after the coordinated disclosure. Shadowserver reported approximately 77,664 vulnerable IP addresses on 5 December, dropping to roughly 28,964 by 7 December as patches were applied. Nation-state actors attributed to China (CL-STA-1015/UNC5174) and North Korea (UNC5342) were among the first observed exploiting the vulnerability in the wild. CISA added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) Catalog on 5 December 2025 with a FCEB remediation deadline of 26 December 2025.

Reach

React is used by approximately 40 % of all developers; Next.js powers an estimated 18–20 % of web applications — making CVE-2025-55182 one of the broadest-impact vulnerabilities of 2025. (Figures from Unit 42 and Trend Micro; treat as estimates.)

Patching — Step by Step

Vercel provides an interactive upgrade tool:

Terminal — Upgrade (interactive)
# Vercel's official upgrade helper
npx fix-react2shell-next

# Or manually — example for Next.js 15.3.x
npm install next@15.3.6 react@19.1.2 react-dom@19.1.2

# Verify
npm ls next react react-dom

After upgrading, regenerate your SBOM and re-run the Dependency-Track scan to confirm that GHSA-9qr9-h5gf-34mp no longer appears. If you are using a lockfile-based deployment pipeline, commit the updated package-lock.json to trigger a clean build.

Supply Chain Security with Blackfort

This lab demonstration — SBOM generation, Dependency-Track integration, and automated policy gates — is a core part of Blackfort's Supply Chain Security advisory service. We help teams build pipelines that catch vulnerabilities like CVE-2025-55182 before they reach production. Learn more about our SBOM and Dependency Management consulting →

Disclaimer

This article is intended solely for informational purposes and for improving IT security (detection and hardening). It does not constitute legal advice and does not contain a ready-to-use attack guide. All tests were conducted in an isolated laboratory environment using exclusively synthetic data. No liability is assumed for damages arising from the application of the content described herein.

The underlying proof-of-concept by Palo Alto Unit 42 (GHSA-9qr9-h5gf-34mp) is publicly available under the MIT licence. Attribution and licence are respected; no weaponisation beyond the already public state has been carried out.

Kontakt aufnehmen

Bereit für den nächsten Schritt?

Sprechen Sie mit uns über Ihre Sicherheitsanforderungen – konkret, ohne Verpflichtung und auf Augenhöhe.