A newly discovered critical flaw in React Server Components, tracked as CVE-2025-55182 and now known as React2Shell, has exposed a massive portion of modern web infrastructure to unauthenticated remote code execution. A related vulnerability in Next js—CVE-2025-66478—shares the same underlying issue, creating one of the most severe security crises the JavaScript ecosystem has faced.

The vulnerability was uncovered by independent researcher Lachlan Davidson and submitted to Meta’s bug bounty program on November 29, 2025. Meta confirmed the issue the following day, released patches by December 1, and publicly disclosed the bug on December 3. The flaw received a maximum CVSS score of 10.0, reflecting its simple exploitation path, lack of required authentication, and potential for full server takeover.

Figure 1. React2Shell.

Security firm Wiz Research reports that the vulnerability affects 39% of cloud environments, with Next.js present in nearly 70% of those deployments. Alarmingly, 44% of environments with vulnerable Next.js setups are publicly exposed [1]. Exploitation requires only a single crafted request to an RSC endpoint and has shown near-perfect reliability in testing.

The weakness stems from insecure deserialization within the RSC “Flight” protocol. Because requests are not properly validated, attackers can inject malicious JavaScript that the server will execute—even if developers never defined custom server functions. Any application using default RSC configurations is considered vulnerable. Figure 1 shows React2Shell.

Other frameworks, including RedwoodJS and Waku, are in the process of issuing patches. Temporary risk-reduction steps include restricting access to server function routes, implementing WAF filters, and closely monitoring HTTP logs for abnormal activity.

Davidson cautioned that many early proof-of-concept exploits circulating online misrepresent how the bug works—highlighting that the flaw is exploitable even without explicitly dangerous server-side code. With no authentication barrier and a broad attack surface across production systems, security researchers are warning that real-world exploitation is likely imminent.

References

1. https://cyberinsider.com/react2shell-flaw-threatens-rce-in-39-of-all-cloud-environments/

Cite this article:

Keerthana S (2025), React2Shell Vulnerability Puts Nearly 40% of Cloud Deployments at Risk of Remote Code Execution, AnaTechMaz, pp.178