On November 29, 2025, a vulnerability dropped that made a lot of security teams cancel their weekends. Tracked as CVE-2025-55182 and quickly dubbed React2Shell, it carries a maximum CVSS score of 10.0 and allows unauthenticated remote code execution in any application using React Server Components (RSC).
What made this one especially painful: it wasn’t theoretical. Exploits were circulating in the wild within hours of disclosure, making React2Shell one of the most aggressively weaponized web application vulnerabilities in recent memory.
Why the React Ecosystem Makes This Worse
In 2025, React sits at the center of a tightly coupled stack: frameworks like Next.js, React Router, and Waku handle routing and server actions; bundlers like Webpack, Turbopack, Parcel, and Vite package and execute server-side components; and React 19’s Server Components architecture means application logic runs directly on your backend infrastructure.
When a vulnerability lands in a core React server package, it doesn’t stay contained. It propagates up through every framework, bundler, and application built on top — which is a lot of the internet.
Who’s Affected?
Security researchers estimate 39% of scanned cloud environments contain at least one vulnerable instance. That’s not a niche problem. Affected industries include:
Financial Services & FinTech — banking portals, payment processors, and trading dashboards running React-based frontends.
E-commerce & Retail — high-traffic storefronts built on Next.js App Router.
SaaS & Cloud Infrastructure — applications running across AWS, Azure, GCP, and Alibaba Cloud.
Public Sector & Healthcare — government portals and patient management systems that modernized their web stacks in recent years.
How It Works
React2Shell is an unsafe deserialization vulnerability in the React Flight protocol — the serialization layer that powers React Server Components.
The Flight Protocol
When a client triggers a Server Action, it sends a multipart request containing serialized metadata. The server deserializes that data and resolves module exports. This is where things break down.
The Vulnerable Code Path
The flaw lives in the requireModule function inside:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
During deserialization, React resolves module exports using unvalidated client-supplied metadata via JavaScript bracket notation:
js
moduleExports[metadata[2]]
```
The issue? Bracket notation in JavaScript doesn't limit access to an object's own properties — it traverses the entire prototype chain.
### The Exploit
An attacker sends a crafted Flight request containing colon-separated property references like:
```
$1:constructor:constructorThis walks the prototype chain to reach the global Function constructor. From there, arbitrary code execution is trivial. A typical proof-of-concept payload resolves to something like:
js
process.mainModule
.require('child_process')
.execSync('whoami');No authentication required. The payload runs with full server privileges because React treats the malicious chunk as a legitimate internal structure.
Affected Versions
Vulnerable React versions: 19.0.0, 19.1.0, 19.1.1, 19.2.0
Vulnerable packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
Affected downstream frameworks and bundlers: Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk
What’s Being Exploited Right Now
The post-disclosure exploitation window for React2Shell has been fast and broad. Security firms including Google Cloud GTIG, Microsoft, and Wiz have all documented active campaigns targeting:
- Financial platforms — harvesting session tokens and credentials
- Cloud-hosted SaaS — pulling IMDS and cloud API tokens
- E-commerce sites — scanning for exposed Server Action endpoints
- Healthcare environments — targeting regulated data
- High-value tech providers — password managers, secure vault services
Known threat actors observed exploiting React2Shell include:
- China-nexus groups (Earth Lamia, Jackpot Panda) deploying backdoors like COMPOOD and ANGRYREBEL.LINUX
- North Korean actors running EtherRAT campaigns targeting crypto assets
- Botnet operators (InfectedSlurs, Rondo, Outlaw) mass-deploying XMRig cryptominers and Mirai malware
Scale: 165,000+ vulnerable IPs and 644,000 domains identified shortly after disclosure, with heavy exploitation activity across North America, East Asia, and Southeast Asia — particularly universities and government infrastructure.
Observed payloads: backdoors (HISONIC, COMPOOD, PeerBlight), reverse proxies (CowTunnel for firewall bypass), and credential harvesters (TruffleHog, Gitleaks) targeting API keys and cloud tokens.
Patch Now
This isn’t a “schedule it for next sprint” situation. Upgrade immediately:
| Vulnerable Version | Required Patch |
|---|---|
| 19.0.0 | 19.0.1 |
| 19.1.x | 19.1.2 |
| 19.2.0 | 19.2.1 |
Microsoft and other cloud providers have published additional guidance for assessing exposure across server and containerized environments.
The Bigger Takeaway
React2Shell is a good reminder that the “frontend vs. backend” mental model doesn’t hold anymore. React Server Components execute directly on your backend infrastructure, which means vulnerabilities in the frontend ecosystem now carry infrastructure-level blast radius.
If you’re running React 19, especially with Next.js and Server Actions, treat CVE-2025-55182 as a critical incident. Patch, then do your post-compromise validation.
