Critical React, Next.js flaw lets hackers execute code on servers

News

Featured
Latest

North Korea lures engineers to rent identities in fake IT worker scheme

Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

Microsoft "mitigates" Windows LNK flaw exploited as zero-day

University of Phoenix discloses data breach after Oracle hack

Russia blocks FaceTime and Snapchat over use in terrorist attacks

Create compliance docs with this $40 governance & cybersecurity bundle

CISA warns of Chinese "BrickStorm" malware attacks on VMware servers

Contractors with hacking records accused of wiping 96 govt databases

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityCritical React, Next.js flaw lets hackers execute code on servers

Critical React, Next.js flaw lets hackers execute code on servers

By Bill Toulas

December 4, 2025
10:11 AM
0

A maximum severity vulnerability, dubbed 'React2Shell', in the React Server Components (RSC) 'Flight' protocol allows remote code execution without authentication in React and Next.js applications.
The security issue stems from insecure deserialization. It received a severity score of 10/10 and has been assigned the identifiers CVE-2025-55182 for React and CVE-2025-66478 (CVE rejected in the National Vulnerability Database) for Next.js.
Security researcher Lachlan Davidson discovered the flaw and reported it to React on November 29. He found that an attacker could achieve remote code execution (RCE) by sending a specially crafted HTTP request to React Server Function endpoints.
"Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components [RCS]," warns the security advisory from React.
The following packages in their default configuration are impacted:
react-server-dom-parcel
react-server-dom-turbopack
and react-server-dom-webpack
React is an open-source JavaScript library for building user interfaces. It's maintained by Meta and widely adopted by organizations of all sizes for front-end web development.
Next.js, maintained by Vercel, is a framework built on top of React that adds server-side rendering, routing, and API endpoints.
Both solutions are widely present in cloud environments through front-end applications that help scale and deploy architectures faster and easier.
Researchers at Wiz cloud security platform warn that the vulnerability is easy to exploit and exists in the default configuration of the affected packages. 
Impact and fixes
According to React, the vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Next.js is impacted in experimental canary releases starting with 14.3.0-canary.77, and all releases of the 15.x and 16.x branches below the patched versions.
The flaw exists in the 'react-server' package used by React Server Components (RSC), but Next.js inherits it through its implementation of the RSC "Flight" protocol.
Wiz researchers say that 39% of all cloud environments where they have visibility contain instances of Next.js or React running versions vulnerable to CVE-2025-55182, CVE-2025-66478, or both.
The same vulnerability likely exists in other libraries that implement React Server, including the Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku.
Software supply-chain security company Endor Labs explains that the React2Shell "is a logically insecure deserialization vulnerability where the server fails to properly validate the structure of incoming RSC payloads."
There is a validation failure when receiving the malformed data from the attacker, which results in executing privileged JavaScript code in the context of the server.
Davidson created a React2Shell website, where he will publish technical details. The researcher is also warning that there are proof-of-concept (PoCs) exploits that are not genuine.
These PoCs invoke functions like vm#runInThisContext, child_process#exec, and fs#writeFile, but a genuine exploit does not need this, the researcher says.
"This would only be exploitable if you had consciously chosen to let clients invoke these, which would be dangerous no matter what," Davidson notes.
He further explained that these fake PoCs would not work with Next.js since these functions are not present due to the list of server functions being managed automatically.
Developers are strongly advised to apply the fixes available in React versions 19.0.1, 19.1.2, and 19.2.1, and Next.js versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7.
Organizations should audit their environments to determine if they use a vulnerable version and take the appropriate action to mitigate the risk.
The popularity of the two solutions is reflected in the number of weekly downloads, as React counts 55.8 million on the Node Package Manager (NPM), and Next.js has 16.7 million on the same platform.

Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Get the guide

Related Articles:
RCE flaw in ImunifyAV puts millions of Linux-hosted sites at riskNearly 50,000 Cisco firewalls vulnerable to actively exploited flaws3,000 Apache ActiveMQ servers vulnerable to RCE attacks exposed online45k Jenkins servers exposed to RCE attacks using public exploitsOver 75,000 WatchGuard security devices vulnerable to critical RCE

Next.js
RCE
React2Shell
ReactJS
Remote Code Execution
Vulnerability

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Popular Stories

ChatGPT is down worldwide, conversations disappeared for users

Marquis data breach impacts over 74 US banks, credit unions

Glassworm malware returns in third wave of malicious VS Code packages

Sponsor Posts

AI is a data-breach time bomb: Read the new report

Hackers love the holidays! Share FREE Security Awareness Training to keep family & friends cyber-safe!

Overdue a password health-check? Audit your Active Directory for free

Empowering IT teams with intelligence driven cyber threat research.

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2025 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Critical React, Next.js Flaw Presents a Severe Server-Side Code Execution Risk

A newly discovered vulnerability, dubbed “React2Shell,” poses a significant risk of remote code execution within React and Next.js applications. This flaw, identified by security researcher Lachlan Davidson, stems from insecure deserialization within the React Server Components (RSC) ‘Flight’ protocol. As of December 4, 2025, the issue has a severity score of 10/10, highlighting its critical nature.

The vulnerability resides in React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, along with experimental canary releases starting with Next.js 14.3.0-canary.77. The core issue is related to React Server, impacting the React Router RSC preview, RedwoodSDK, and Waku. Notably, the vulnerability also affects Next.js due to its implementation of the RSC “Flight” protocol.

Impact and Prevalence

According to Wiz cloud security, approximately 39% of cloud environments utilizing React or Next.js are affected by this vulnerability. This speaks to the widespread adoption of these frameworks in modern application development, particularly in cloud-based environments. The popularity of React itself—with a staggering 55.8 million weekly downloads on npm—and Next.js (16.7 million) underscores the scale of the potential impact.

The Root Cause: Insecure Deserialization

The vulnerability's genesis lies in the way React Server Components (RSC) handle incoming data. Specifically, the system fails to adequately validate the structure of RSC payloads received from clients. An attacker can exploit this by sending a malformed request, triggering the execution of privileged JavaScript code within the server’s context.

Davidson created a React2Shell website, detailing the technical specifics of the vulnerability. He was cautious, noting that while proof-of-concept (PoC) exploits exist, an actual exploit does not require invoking functions like `vm#runInThisContext`, `child_process#exec`, or `fs#writeFile`. This mitigates some risk, but the underlying possibility remains.

Severity and Mitigation – Urgent Action Required

The risk posed by React2Shell is amplified by the ease with which it could be exploited. The fact that the vulnerability exists in the default configuration of the impacted packages emphasizes the urgency of remediation. To address this issue, developers are strongly advised to apply the fixes available in React versions 19.0.1, 19.1.2, and 19.2.1, alongside Next.js versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7 .

Furthermore, organizations are urged to conduct thorough audits of their environments to identify any potentially vulnerable instances of React or Next.js. Prompt remediation – applying the available fixes – is paramount to mitigating the associated risks.

Notable Observations

The widespread use of React and Next.js in cloud environments makes this vulnerability a critical concern for many businesses. The security researcher’s efforts to document and share the details of React2Shell are crucial in accelerating the patching process. The inclusion of PoCs highlighted within the documentation, combined with Davidson's warnings about their limited functionality, underscore a thoughtful approach to security dissemination.

It's important to note that this isn't simply a vulnerability within React or Next.js, but rather a systemic risk within the broader ecosystem of component-based web development. Libraries utilizing React Server – such as Vite RSC plugins, Parcel RSC plugins, and React Router RSC preview – also inherit this vulnerability.

Moving forward, this incident will undoubtedly elevate the scrutiny placed on React Server Components and potentially shift developer thinking towards more robust security practices when designing and implementing RSCs. It’s a stark reminder that security must be considered at every level of the software development lifecycle.