By ByteBot
React2Shell (CVE-2025-55182) earned a perfect 10.0 CVSS score for good reason: a single HTTP request can compromise your entire Next.js server. Disclosed in December 2025, the vulnerability has already fueled 8.1 million attack sessions. Despite emergency patches, thousands of production applications remain exposed to nation-state hackers and cryptocurrency miners actively exploiting this flaw.
Why CVSS 10.0 Isn’t Hype
Maximum severity scores get thrown around carelessly, but React2Shell checks every box. The vulnerability lives in React Server Components’ “Flight” protocol—specifically, unsafe deserialization that fails to validate incoming payloads. An attacker needs no authentication, no special access, and no user interaction. One crafted HTTP request to any Server Function endpoint triggers remote code execution with full web server privileges.
Security researchers testing the exploit reported near 100% reliability against default configurations. There’s no misconfiguration required, no edge case to trigger. If you’re running affected versions, you’re vulnerable out of the box.
From Disclosure to Exploitation in Hours
The React team disclosed CVE-2025-55182 on December 3, 2025, after coordinating emergency patches with hosting providers. Within hours, Amazon’s threat intelligence teams observed active exploitation by China state-nexus groups including Earth Lamia and Jackpot Panda. Google Cloud’s threat intelligence identified attacks ranging from opportunistic cybercriminals to suspected espionage operations.
By January 7, 2026, GreyNoise recorded 8.1 million attack sessions exploiting React2Shell. Wiz Research found that 39% of cloud environments contain vulnerable instances. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-55182 to its Known Exploited Vulnerabilities catalog—confirmation that exploitation isn’t theoretical.
Threat actors deployed cryptocurrency miners like XMRIG alongside more sophisticated malware: MINOCAT tunnelers for persistent access, SNOWLIGHT downloaders, HISONIC backdoors, and COMPOOD implants. The vulnerability serves both quick-profit cryptomining operations and long-term espionage campaigns.
Who’s in the Blast Radius
React2Shell affects React versions 19.0 through 19.2.0 and Next.js versions 15.x and 16.x when using the App Router. Next.js 14.3.0-canary.77 and later canary releases are also vulnerable. If you’re running any of these, assume you’re exposed.
The good news: Next.js 13.x, stable Next.js 14.x releases, applications using the Pages Router, and Edge Runtime deployments are not affected. The vulnerability specifically targets React Server Components implementations.
Patched versions include React 19.0.1, 19.1.2, and 19.2.1, plus Next.js 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. If your version numbers don’t match these or higher, you need to update immediately.
What You Must Do Now
Patching is the only real fix. Vercel released an automated tool that handles the update in one command: npx fix-react2shell-next. Run it, verify the updates, and redeploy. Don’t wait for your next sprint or maintenance window—active exploitation means every hour of delay increases risk.
As a temporary measure while you patch, deploy Web Application Firewall rules. AWS offers protection in AWSManagedRulesKnownBadInputsRuleSet version 1.24 and later. Google Cloud provides detection rules through Cloud Armor. Cloudflare published a threat brief with recommended WAF configurations. These aren’t substitutes for patching, but they add a defense layer during the update window.
After patching, rotate all application secrets. The vulnerability’s disclosure-to-exploitation timeline measured in hours, not days. If you were running vulnerable versions when the CVE went public, assume potential compromise. Rotate API keys, database credentials, session secrets, and any other sensitive configuration.
The Framework Security Crisis
React2Shell follows a familiar pattern. Log4Shell devastated Java applications in 2021. Spring4Shell hit the Spring Framework in 2022. Now React Server Components in 2025. The common thread: deserialization vulnerabilities in popular frameworks that ship features faster than security audits can validate them.
React Server Components represented cutting-edge innovation when Next.js 15.x adopted them as the default. But innovation means unproven in production at scale. Security researchers discovered two additional vulnerabilities (CVE-2025-55183 and CVE-2025-55184) while testing the initial React2Shell patches—a sign that the codebase hadn’t received sufficient security hardening before release.
Framework maintainers face pressure to ship features that match competitors. Developers face pressure to adopt new frameworks that promise better performance. The result: rapid adoption of insufficiently battle-tested code, followed by emergency patching when vulnerabilities surface.
This creates update fatigue. Developers already juggle dependency updates, breaking changes, and security patches across dozens of packages. Another critical CVE demanding immediate action feels like the new normal—because it is.
Patch Now, Question Later
Update your React and Next.js versions today. Use Vercel’s automated tool, deploy WAF rules, and rotate your secrets. React2Shell’s 8.1 million attack sessions prove the threat is real and ongoing.
But after you patch, ask whether frameworks should move this fast. React Server Components delivered impressive capabilities—and a maximum-severity vulnerability within months of widespread adoption. The industry prioritizes features over security hardening, leaving developers to manage the consequences. React2Shell won’t be the last critical framework CVE. Prepare accordingly.
