React2Shell Explained: How One Payload Can Own Your Server
[!WARNING] Critical Severity (CVSS 10.0): If you are running Next.js 15+, React Router v7, or any framework using React Server Components (RSC) with unpatched versions of
react-server-dom-*packages, your application is likely vulnerable to Remote Code Execution (RCE). Patch Immediately.
The "Flight" protocol—the invisible wire format that powers React Server Components—has just landed securely in the "Hall of Fame" of critical vulnerabilities.
CVE-2025-55182, dubbed "React2Shell", is not just another bug. It is a fundamental deserialization flaw that allows unauthenticated attackers to execute arbitrary code on your server by sending a single malformed HTTP request.
No authentication required. No complex race conditions. Just one request, and your server is theirs.
1. The Mechanics of Catastrophe
At its core, React Server Components (RSC) rely on serializing the component tree on the server and streaming it to the client. This serialization format is known as the "Flight" protocol.
To support features like Server Actions, the protocol must also handle data going the other way: from Client to Server. This is where the vulnerability lives.
The "Trust" Fallacy
The vulnerable code in react-server-dom-webpack (and related packages) assumed complexity where it should have enforced strictness. It allowed the deserialization of complex objects from the client without adequate type validation.
An attacker can construct a payload that, when deserialized by the server, instantiates dangerous objects or gadgets available in the closure or global scope.
sequenceDiagram participant Attacker participant Server as Next.js Server participant Flight as Flight Protocol (Vulnerable) Attacker->>Server: POST /_next/static/chunks/... (Malicious Payload) Note right of Attacker: Payload contains serialized gadget chain Server->>Flight: Deserialize(Payload) Flight->>Flight: Execute malicious object getter/setter Flight->>Server: RCE Triggered (e.g., child_process.exec) Server-->>Attacker: Reverse Shell Connection
The Payload Structure
While we won't publish a weaponized exploit script, the conceptual structure relies on abusing the internal format React uses to reference module exports.
A simplified conceptual view of the attack surface:
// Conceptual representation of the Flight payload structure
// DO NOT RUN
{
"id": "vulnerable_module",
"name": "dangerous_function",
"chunks": ["arbitrary_code_execution"],
"async": false
}
Because the server blindly trusts the map provided in the payload to resolve modules, it can be tricked into loading and executing functions that were never meant to be public endpoints.
2. Why This is "Catastrophic" (CVSS 10.0)
CVSS 10.0 is the highest possible severity score. It is reserved for vulnerabilities that are:
- Network Exploitable: Attackable remotely over the internet.
- Low Complexity: Requires no special access or conditions.
- No Privileges Required: Unauthenticated.
- Complete Impact: Total loss of Confidentiality, Integrity, and Availability.
React2Shell checks every single box.
[!IMPORTANT] Unlike SQL Injection or XSS, which are often limited to specific endpoints or user sessions, React2Shell gives the attacker the same privileges as the Node.js process running your server.
This means they can:
- Read your
.envfiles (AWS keys, DB passwords). - Install crypto miners.
- Pivot to your internal network (database, internal APIs).
- Delete your entire application.
3. Am I Affected?
If you use React 19 features, specifically Server Actions or the RSC architecture, check your dependencies.
Vulnerable Packages:
react-server-dom-webpack< 19.x (Patched versions vary by framework)react-server-dom-turbopackreact-server-dom-parcelnext(Versions 14.x < 14.2.x, 15.x < 15.1.x - consult official advisories)
4. The Fix: Strict Serialization
The patch provided by the React team introduces strict whitelisting. The server now refuses to deserialize any object structure that hasn't been explicitly authorized or doesn't match a safe, primitive type signature.
We will cover the specific code-level diffs and the "Reverse Engineering" of the patch in our next post: How React Patched a CVSS 10 Bug.
Security Checklist
Protect yourself immediately:
- Upgrade React & Next.js: Ensure you are on the latest patch release released after Dec 5, 2025.
- Audit Dependencies: Run
npm auditorpnpm audit. - WAF Rules: Implement WAF rules to block suspicious payloads containing unusual "Flight" protocol markers if you cannot patch immediately (NOT recommended as permanent fix).
- Least Privilege: Ensure your Node.js process does not run as
root. Restrict its network access to only necessary services.
Did you enjoy this post?
Give it a like to let me know!
