Priority-Zero Patching Event: React2Shell

Overview and Impact

On December 3, 2025, the React team at Meta disclosed a Critical (CVSS 10.0) Unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-55182. This flaw affects the server-side rendering and execution logic within React Server Components (RSC).

The vulnerability affects an estimated 82 % of modern JavaScript web applications using React 19 or frameworks built on RSC (most notably Next.js 15 and 16 series). Successful exploitation typically yields immediate access to environment variables, database credentials, cloud metadata endpoints, and the ability to establish reverse shells.

Given the low complexity and the massive adoption of React 19 and Next.js, this is a Priority-Zero patching event.

• Vulnerable Versions: React 19.0.0 through 19.2.0 and downstream frameworks, including Next.js (14.3.0-canary.77+, all 15.x, all 16.x ≤16.0.6), Waku, and RedwoodJS with RSC enabled.
• Attack Vector: Malformed RSC Flight stream sent via an HTTP POST to any exposed Server Action/Function endpoint.
• Exploitation Status: No confirmed widespread in-the-wild attacks as of the disclosure date, but private exploit chains are confirmed, and mass scanning is highly anticipated.

Mitigation and Defense Strategy

Immediate action is mandatory to defend against this critical vulnerability.

Immediate (0–4 hours)  

• Deploy or upgrade to patched versions, as indicated in the table below.
• Force-redeploy all Vercel, Netlify, Cloudflare Pages, and self-hosted instances

Interim Mitigation (If Patching is Delayed)

• Block RSC-specific Content-Types at edge (Cloudflare “Block if request contains __proto__ in body and Content-Type contains x-component”)
• Temporarily disable Server Actions via middleware (`if (req.nextUrl.pathname.includes(‘action’)) return new Response(‘Disabled’, {status: 403})`)

Long-Term

• Enable React’s upcoming “Secure Flight Mode” (opt-in in 19.3)
• Audit all public-facing Server Actions for authentication requirements

Indicators of Compromise (IOCs)

• Unexpected POST requests with `Content-Type: multipart/mixed; boundary=—` or `text/x-component`
• Requests containing RSC row prefixes (`J:`, `$:`, `M:`, `E:`) with embedded `__proto__` or numeric refs pointing to native symbols
• Anomalous outbound connections from Node.js processes shortly after such requests

Technical Deep Dive: The Deserialization Flaw

The vulnerability is rooted in insecure deserialization combined with prototype pollution within the proprietary “Flight” protocol. This allows an unauthenticated attacker to achieve full arbitrary code execution on a vulnerable application server with a single, crafted HTTP POST request.

The core issue stems from FlightReplyServer‘s lenient resolution logic that implicitly expands properties during deserialization without performing hasOwnProperty checks, which is essential to block the __proto__ injection primitive.

Understanding the Root Cause

1. Server Actions and Flight: React Server Components expose server functions (Server Actions) as HTTP endpoints. The client sends data to these endpoints, which is encoded using the Flight format.
2. Insecure Resolution: The server-side component, specifically FlightReplyServer (in packages like react-server-dom-webpack), parses the incoming Flight stream. The flaw lies in its recursive object resolution logic (resolveModel), which lacks strict validation against prototype manipulation.
3. Prototype Pollution: An attacker crafts a Flight payload that injects a property like __proto__ during deserialization. This allows them to pollute the global Object.prototype, effectively tainting all subsequent objects created by the application.
4. RCE Escalation: The polluted prototype enables the attacker to hijack native JavaScript methods (a gadget chain). By resolving a built-in symbol to a Node.js function like require and loading the child_process module, the attacker can execute arbitrary OS commands, achieving RCE (e.g., establishing a reverse shell).

Conclusion and Outlook

This is one of the most critical vulnerabilities to impact the modern JavaScript ecosystem in 2025. The attack is unauthenticated, trivial to automate, and provides immediate RCE, bypassing standard application-level authentication. Security teams must prioritize immediate patching across all React 19 and Next.js 15/16 deployments. Interim WAF and endpoint monitoring are essential until a full patch is verified.

Reference: Armis Vulnerability Intelligence Database