Description
React2Shell is a critical unauthenticated remote code execution vulnerability affecting server-side usage of React Server Components and React Server Functions. The issue arises from a flaw in how React deserializes and decodes attacker-controlled payloads sent to Server Function endpoints. A maliciously crafted HTTP request can be interpreted as executable server-side code during deserialization, allowing attackers to achieve arbitrary code execution without authentication. In Next.js, this vulnerability is tracked separately as CVE-2025-66478 due to React being vendored rather than declared as a direct dependency.
Recommendation
Immediately upgrade all affected React and framework packages to patched versions. For React Server Components, upgrade to react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack versions 19.0.1, 19.1.2, 19.2.1, or later. Next.js users must upgrade to the latest patched release in their supported release line. Do not rely on temporary hosting-provider mitigations or WAF rules. If React Server Components or Server Functions are not required, consider disabling or removing server-side React functionality entirely.
References
- React Blog: Denial of Service and Source Code Exposure in React Server Components
- react2shell.com
- CVE-2025-55182
- CVE-2025-66478
- CWE-20
- CWE-502
- CWE-78
- CAPEC-242
- CAPEC-88
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) - CVE-2025-66398
- systeminformation has a Command Injection vulnerability in fsSize() function on Windows - CVE-2025-68154
- Elysia affected by arbitrary code injection through cookie config - CVE-2025-66457
- tarteaucitron.js allows UI manipulation via unrestricted CSS injection - CVE-2025-31138
You might also like:
- Tags:
- React
- Next.js
- RCE
- Deserialization
- Server Components
- Injection