CVE-2025-55182 – React Server Components Remote Code Execution (React2Shell)

Introduction

In this document, the vulnerability CVE-2025-55182, one of the most critical security flaws discovered in December 2025 with a CVSS score of 10.0 (Critical), is analyzed.

This vulnerability affects the implementation of React Server Components (RSC) and frameworks that rely on it — most notably Next.js.

This flaw, referred to by security researchers as React2Shell, allows unauthenticated remote code execution (RCE) through a single manipulated HTTP request, without requiring any authentication.

In this write-up:

• The architecture of RSC and the React Flight Protocol is examined
• The technical root cause of the vulnerability is explained
• The complete exploit chain is analyzed
• A real proof-of-concept (PoC) resulting in operating system–level code execution is described

Finally, we demonstrate how a seemingly simple deserialization flaw can lead to full server compromise.

Vulnerable Versions and Affected Packages

According to the official security advisory, the following versions are vulnerable.

Vulnerable React Versions

• 19.0.0
• 19.1.0
• 19.1.1
• 19.2.0

Vulnerable Packages

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Fixed Versions

To fully remediate this vulnerability, upgrading to one of the following versions is required:

• 19.0.1
• 19.1.2
• 19.2.1

Overview of React Server Components and the Flight Protocol

React Server Components is a feature introduced in React 19 that enables component rendering on the server side.

This model improves performance by offloading heavy computational work to the server, while only the final rendered output is sent to the client.

React Flight Protocol

Communication between the client and server in RSC is handled through the React Flight Protocol.

This protocol is responsible for the serialization and deserialization of data between both sides.

When a client invokes a Server Action, an HTTP request containing specially serialized data is sent, which the server deserializes and executes.

Flight Serialization Markers

The Flight protocol uses type markers, including:

• $@ → Chunk reference
• $B → Blob reference
• Property access paths using :

Example:

$1:constructor:constructor
This serialization mechanism forms the core of the vulnerability.

Root Cause: Unsafe Deserialization

CVE-2025-55182 is fundamentally an unsafe deserialization vulnerability in the handling of inbound Flight protocol payloads.

The issue exists in the requireModule function within the react-server-dom-webpack package:

function requireModule(metadata) {
 var moduleExports = __webpack_require__(metadata[0]);
 // ...
 return moduleExports[metadata[2]]; // VULNERABLE
}
The lack of proper validation allows an attacker to access internal JavaScript object paths, ultimately leading to arbitrary code execution on the server.

🐧 Linux

Required Actions

• Run the Node.js service as a non-root user
• Avoid running the service with sudo privileges
• Apply systemd hardening:
  • NoNewPrivileges=true
  • PrivateTmp=true
  • ProtectSystem=strict
• Restrict application user access to system binaries
• Run the service inside an isolated Container or VM

Result

In the event of exploitation, the attacker is confined to the limited privileges of the application user, preventing full system compromise.

🪟 Windows

Required Actions

• Run node.exe under a non-Administrator Windows user
• Restrict NTFS permissions strictly to the project directory
• Disable write access to system directories
• Enable Windows Defender Attack Surface Reduction (ASR)
• Monitor child processes such as:
  • cmd.exe
  • powershell.exe

Result

Arbitrary code execution is significantly constrained, reducing the likelihood of full system takeover.

🍎 macOS

Required Actions

• Run the Node.js service as a non-admin user
• Do not run the application with root privileges
• Use macOS Sandbox in organizational environments
• Inspect Launch Agents and Daemons
• Monitor child processes spawned by Node.js

Result

Prevention of post-exploitation persistence mechanisms.

🐳 Container Environments (Docker / Kubernetes)

Required Actions

• Run containers as non-root users
• Enable a read-only root filesystem
• Do not mount the Docker socket (/var/run/docker.sock)
• Restrict network traffic using NetworkPolicy
• Prevent container access to sensitive internal services

Result

Prevention of container escape, lateral movement, and full cluster compromise.

✅ Summary

• These measures do not fix the vulnerability in the code
• They limit the impact of a successful exploit to the lowest possible level
• Enforcing the Principle of Least Privilege across all operating systems is mandatory