World Watch: React2Shell

Insecure deserialization exposes React and Next.js to a critical RCE vulnerability dubbed "React2Shell"

On December 3, 2025, React patched a critical vulnerability dubbed React2Shell that allowed unauthenticatedremote code execution within React Server Components. The issue, tracked as CVE‑2025‑55182 and CVE‑2025‑66478 for Next.js (link for our Vulnerability Intelligence clients), originates from a flaw in the deserialization mechanism React uses to process requests targeting React Server Functions. This weakness is scored at a maximum 10 out of 10 CVSS score, as it allows an attacker to send a malicious request capable of triggering code execution on the server, even when the application did not explicitly use Server Functions but only Server Components.

Versions 19.x of the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack modules are affected by the vulnerability. Frameworks that rely on these modules, such as Next.js, React Router, and the RSC plugins for Vite and Parcel, are also impacted. According to Wiz, this may represent one million servers or more than one-third of cloud environments.

Fortunately, fixes are already available, as the issue was responsibly reported and handled.

No reports currently indicate exploitation in the wild, but the severity of the issue makes it very likely that it will attract malicious actors.

We classify this advisory’s threat level as 4 out of 5.

What You Should Do

The vulnerability affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack modules

Fixes are available in versions 19.0.1, 19.1.2, and 19.2.1.

We recommend updating React, Next.js, and all RSC-related dependencies to their fixed versions as soon as possible.

Some scanners have already been published, such as this Python tool or this Nuclei template.