Description
React2Shell is a critical unauthenticated remote code execution vulnerability affecting server-side usage of React Server Components and React Server Functions. The issue arises from a flaw in how React deserializes and decodes attacker-controlled payloads sent to Server Function endpoints. A maliciously crafted HTTP request can be interpreted as executable server-side code during deserialization, allowing attackers to achieve arbitrary code execution without authentication. In Next.js, this vulnerability is tracked separately as CVE-2025-66478 due to React being vendored rather than declared as a direct dependency.
Recommendation
Immediately upgrade all affected React and framework packages to patched versions. For React Server Components, upgrade to react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack versions 19.0.1, 19.1.2, 19.2.1, or later. Next.js users must upgrade to the latest patched release in their supported release line. Do not rely on temporary hosting-provider mitigations or WAF rules. If React Server Components or Server Functions are not required, consider disabling or removing server-side React functionality entirely.
References
- React Blog: Denial of Service and Source Code Exposure in React Server Components
- react2shell.com
- CVE-2025-55182
- CVE-2025-66478
- CWE-20
- CWE-502
- CWE-78
- CAPEC-242
- CAPEC-88
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- BrowserStack Local vulnerable to Command Injection through logfile variable - CVE-2025-57283
- LangChain serialization injection vulnerability enables secret extraction - CVE-2025-68665
- LangChain serialization injection vulnerability enables secret extraction (GHSA-r399-636x-v7f6) - CVE-2025-68665
- react-dev-utils OS Command Injection in function `getProcessForPort` - CVE-2021-24033
- Tags:
- React
- Next.js
- RCE
- Deserialization
- Server Components
- Injection