Description
React2Shell is a critical unauthenticated remote code execution vulnerability affecting server-side usage of React Server Components and React Server Functions. The issue arises from a flaw in how React deserializes and decodes attacker-controlled payloads sent to Server Function endpoints. A maliciously crafted HTTP request can be interpreted as executable server-side code during deserialization, allowing attackers to achieve arbitrary code execution without authentication. In Next.js, this vulnerability is tracked separately as CVE-2025-66478 due to React being vendored rather than declared as a direct dependency.
Recommendation
Immediately upgrade all affected React and framework packages to patched versions. For React Server Components, upgrade to react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack versions 19.0.1, 19.1.2, 19.2.1, or later. Next.js users must upgrade to the latest patched release in their supported release line. Do not rely on temporary hosting-provider mitigations or WAF rules. If React Server Components or Server Functions are not required, consider disabling or removing server-side React functionality entirely.
References
- React Blog: Denial of Service and Source Code Exposure in React Server Components
- react2shell.com
- CVE-2025-55182
- CVE-2025-66478
- CWE-20
- CWE-502
- CWE-78
- CAPEC-242
- CAPEC-88
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- Apache Tomcat JSP Upload RCE - CVE-2017-12615, CVE-2017-12617
- PHP CGI Argument Injection RCE - CVE-2012-1823, CVE-2024-4577
- Apache Struts 2 Forced double OGNL evaluation S2-059 - CVE-2019-0230
- Apache Struts 2 RCE S2-045 - CVE-2017-5638
- Tags:
- React
- Next.js
- RCE
- Deserialization
- Server Components
- Injection