React2Shell (CVSS 10.0): Patch React & Next.js NOW | Unauth RCE Explained

A maximum-severity vulnerability is hitting React Server Components - and if you're running Next.js, you may be vulnerable by default.

React disclosed CVE-2025-55182, nicknamed React2Shell, an unauthenticated remote code execution (CVSS 10.0) affecting React Server Components via the Flight protocol. Next.js tracks downstream exposure as CVE-2025-66478:

• No authentication required
• One-request exploitability
• Public PoC available
• Near 100% success reported against default configurations

That means internet-wide scanning is likely.

Who’s affected?

Certain React 19 versions using react-server-dom-* packages (webpack, turbopack, parcel variants), plus standard production builds created with create-next-app.

Once RCE is achieved, attackers can:

• Steal secrets (tokens, credentials, user data)
• Establish persistence (web shells, backdoors)
• Move laterally inside your environment
• Deploy ransomware

Detection guidance:

Sysdig TRT recommends monitoring for suspicious process execution spawned by web servers (e.g., Next.js spawning sh, bash, curl, wget). Runtime detection is critical because RCE chains often pivot quickly.

Patch immediately.

Fixed versions include:

React Server Components: 0.1, 19.1.2, 19.2.1

Next.js: 0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

If you're on canary builds, move back to stable per guidance.

Chapters:

00:00 Intro to React2Shell

00:18 React2Shell details

00:39 Why is React2Shell high-severity

01:01 Affected packages and configs

01:19 Potential exploitations

01:42 Detection strategies for RCE

02:02 Mitigation measures & limitations

02:24 Patching recommendations

#react #nextjs #CVE202555182 #cybersecurity #appsec #cloudsecurity #RCE #Kubernetes #devsecops #react2shell #CVE