By ByteBot
On December 3, 2025, React and Vercel disclosed CVE-2025-55182—a CVSS 10.0 remote code execution vulnerability affecting React Server Components and Next.js. Within 30 hours of the patch release, public exploit code surfaced. By December 5, five China-nexus APT groups were actively exploiting the flaw in the wild. The vulnerability, dubbed “React2Shell,” allows unauthenticated attackers to execute arbitrary code on millions of vulnerable servers with nothing more than a crafted HTTP request—no authentication, no developer error required.
The Vulnerability: Default and Unauthenticated
CVE-2025-55182 exploits insecure deserialization in React Server Components’ “Flight” protocol. When a server receives a specially crafted RSC payload, it processes the data without proper validation. The attacker sends a fake “Chunk” object containing a malicious then method. React’s internal machinery attempts to resolve the Chunk as a promise, calling the attacker-controlled then method—achieving remote code execution.
The critical detail: default Next.js applications are vulnerable with zero code changes by the developer. A standard app created with create-next-app and built for production can be exploited out-of-the-box. This isn’t a vulnerability requiring developer mistakes—it’s a framework-level design flaw.
Affected versions include React 19.0.0 through 19.2.0 and Next.js 13.x through 16.x using the App Router. Wiz Research found 39% of cloud environments scanned had vulnerable workloads—968,000+ servers exposed to unauthenticated RCE.
30 Hours from Patch to Weaponized Exploit
The timeline reveals how fast modern attackers move. Lachlan Davidson responsibly disclosed the vulnerability to Meta on November 29. React and Vercel released patches on December 3. Within 30 hours, public proof-of-concept exploit code circulated. Within hours of December 3, Amazon threat intelligence teams observed active exploitation attempts by China state-nexus threat groups.
By December 5—two days post-patch—active exploitation was confirmed. CVE-2025-55182 was added to CISA’s Known Exploited Vulnerabilities list. By December 12, Google identified five distinct threat clusters (UNC6600, UNC6586, UNC6588, UNC6603, UNC6595) exploiting globally.
The 30-hour patch-to-exploit window is unprecedented. Most organizations have patch cycles measured in days or weeks. Attackers moved in hours.
Real-World Attacks: APT Groups and Credential Theft
The exploitation wasn’t theoretical. AWS and Google Cloud documented systematic attacks deploying Cobalt Strike beacons, credential harvesters, and cryptocurrency miners. Attackers established web shells to harvest credentials from environment variables, filesystems, and cloud metadata—especially AWS credentials, Base64 encoded for exfiltration.
Malware campaigns included Nezha agents, Sliver payloads, XMRIG miners, and multiple backdoors. The supply chain dimension compounds the risk: Palo Alto Networks Unit 42 connected React2Shell to a GitHub Actions compromise (CVE-2025-30066), where attackers exploited the popular tj-actions/changed-files action to leak CI/CD secrets in public build logs—linked to a Coinbase breach.
Scale: 10 Million Sites, 82% Developer Adoption
React is used by 82% of JavaScript developers (2024 State of JavaScript survey). Next.js powers 10+ million active websites globally, including Instagram, Netflix, and Airbnb. The sheer scale creates systemic risk. If you’re using React or Next.js, this affects you directly.
By December 8, 362 unique IP addresses were attempting exploitation. The attack surface is massive and exploitation is active.
What Developers Must Do NOW
Immediate patching is required. For React, upgrade to versions 19.0.1, 19.1.2, or 19.2.1. For Next.js, upgrade to the latest patch: 14.2.35 for 14.x, 15.0.7 for 15.0.x, 15.1.11 for 15.1.x, 15.2.8 for 15.2.x, 15.3.8 for 15.3.x, 15.4.10 for 15.4.x, 15.5.9 for 15.5.x, or 16.0.10 for 16.0.x. Check Next.js security advisories for details.
Scan applications for vulnerable versions using dependency scanners. Deploy Web Application Firewall rules to block exploit attempts. Monitor server logs for unusual RSC payload requests. If compromised, rotate all cloud credentials immediately—AWS, Azure, GCP, everything.
Framework Trust and Security by Default
React2Shell raises uncomfortable questions. Should frameworks be secure by default? Unambiguously yes—but React Server Components violated that principle. Developers did nothing wrong. They followed best practices, used create-next-app, deployed to production. The vulnerability existed at the framework level.
The comparison to Log4Shell is unavoidable. Both scored CVSS 10.0, both allowed unauthenticated RCE, both affected massively deployed software. Log4j took months to fully patch across the industry. Will React2Shell follow the same pattern?
Microsoft’s guidance emphasizes immediate action. The 30-hour exploit window sets a new baseline for patch urgency. Organizations can no longer afford multi-week patch cycles for CVSS 10.0 vulnerabilities.
Key Takeaways
- CVE-2025-55182 is a CVSS 10.0 unauthenticated RCE vulnerability affecting React 19 and Next.js 13-16, exploitable in default configurations with no developer error
- Five China-nexus APT groups began exploiting within 30 hours of patch release—the fastest patch-to-exploit timeline for a major framework vulnerability
- 968,000+ servers vulnerable, 39% of cloud environments exposed, affecting 10 million+ Next.js sites including Instagram, Netflix, Airbnb
- Real-world attacks deployed Cobalt Strike, credential harvesters, cryptocurrency miners, with supply chain connections to GitHub Actions compromises
- Immediate patching critical—upgrade React to 19.0.1/19.1.2/19.2.1 and Next.js to latest versions, scan dependencies, deploy WAF rules, rotate credentials if compromised
