CVE-2025-55182 (React2Shell) Explained: Impact, Fixes, and How to Verify Exposure

CVE-2025-55182, nicknamed “React2Shell”, is a newly disclosed, maximum-severity remote code execution (RCE) vulnerability in React Server Components (RSC). It impacts React 19 and popular frameworks that embed RSC, including Next.js App Router. The bug carries a CVSS v3.1 score of 10.0, the highest possible, and allows unauthenticated attackers to run code on affected servers.

At a high level, the flaw is an unsafe deserialization issue in the way React Server Components decode data sent to Server Function endpoints. By sending a specially crafted HTTP payload, an attacker can abuse the RSC protocol so that the server deserializes untrusted data and ultimately executes arbitrary code. Crucially, the React team and multiple vendors note that apps may be exploitable even if they don’t explicitly use Server Functions, as long as they support React Server Components on the server.

This is why the vulnerability is being compared to earlier deserialization bugs like Log4Shell: it’s network-reachable, low-complexity, pre-auth, and requires no user interaction. In modern stacks where React and Next.js are everywhere, that’s a worrying combination.

Who’s Affected and What Should You Do?

The React advisory confirms the bug in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. Fixed versions are 19.0.1, 19.1.2, and 19.2.1.

Next.js has its own advisory (CVE-2025-66478, now treated as a duplicate) covering Next.js 15 and 16 App Router releases (and certain 14.3.0 canaries), with patched versions such as 15.0.5+ and 16.0.7+.

Immediate Steps Most Organizations Should Take:

• Upgrade React RSC packages to a fixed version (19.0.1 / 19.1.2 / 19.2.1 or later).
• Upgrade frameworks like Next.js to the vendor-recommended patched releases.
• Enable vendor WAF rules or edge protections specifically targeting RSC exploit traffic.
• Review server permissions and monitoring so that a compromise, if it occurs, has limited blast radius and clear signals.

Beyond Version Checks: Are You Actually Exposed?

One emerging theme in early research is that the presence of React Server Components or simple version enumeration is not enough to understand real-world exposure. Several early PoCs mis-diagnose the root cause or can’t reliably confirm exploitable conditions; researchers are stressing the need for high-fidelity detection and realistic validation of this RCE.

That’s exactly the gap our autonomous offensive security platform, BreachLock Adversarial Exposure Validation (AEV), is designed to address. Instead of stopping at “you’re running a vulnerable version,” BreachLock AEV behaves more like a skilled attacker: it uses agentic, GenAI-driven logic to map your stack, interact with RSC and framework features as they’re actually deployed, and determine whether CVE-2025-55182 is truly exploitable in your environment. For teams trying to separate theoretical risk from practical exposure, that kind of adversarial, end-to-end validation is becoming essential.

Author

Saul Johnson

Chief AI Researcher,