React2Shell: The 10.0 CVSS Nightmare in React Server Components

The cybersecurity world was shaken on December 3, 2025, with the disclosure of CVE-2025-55182, ominously dubbed React2Shell.

With a maximum CVSS score of 10.0, this vulnerability allows unauthenticated remote code execution (RCE) on servers running vulnerable versions of React Server Components (RSC).

What is React2Shell?

React2Shell stems from an unsafe deserialization flaw in the React Flight protocol. When a server processes a malicious HTTP request targeting a Server Function endpoint, the flawed deserialization logic can be manipulated to execute arbitrary code.

Because this exploit requires no authentication and can be triggered remotely, it poses an existential threat to modern web applications built on the React ecosystem.

Who is Affected?

Use specific versions of the following packages are at risk:

• React: Versions 19.0.0, 19.1.0, 19.1.1, 19.2.0
• react-server-dom-webpack
• react-server-dom-parcel
• Next.js: Versions 15.x and 16.x (using App Router)

Immediate Mitigation

To protect your infrastructure, you must upgrade immediately:

If you are using Next.js, ensure you are on the latest patch release that addresses CVE-2025-66478.

Conclusion

React2Shell serves as a stark reminder that even the most modern and robust frameworks are not immune to critical flaws. If you are running RSCs in production, patch now.