React Server Components remote code execution (React2Shell)

Description: React Server Components remote code execution (React2Shell)

The application is vulnerable to CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), critical Remote Code Execution vulnerabilities in React Server Components with CVSS score of 10.0.

Vulnerability Overview:

• Unauthenticated Remote Code Execution via insecure deserialization
• The RSC Flight protocol fails to validate property existence in colon-delimited references
• Malformed multipart form-data triggers unhandled exceptions leading to RCE
• No prerequisites or special configuration required for exploitation

Remediation: React Server Components remote code execution (React2Shell)

CRITICAL - Immediate Action Required

This vulnerability allows unauthenticated attackers to execute arbitrary code on the server. Patch immediately.

Upgrade to Patched Versions:

• React: 19.0.1, 19.1.2, or 19.2.1
• Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7

Remediation Steps:

1. Update package.json dependencies to patched versions
2. Run: npm install or npm update
3. Rebuild and redeploy application
4. Verify fix by re-scanning

References

• Next.js Security Advisory
• CVE-2025-55182 Details
• Detection of CVE-2025-55182

Vulnerability classifications

• CWE-502: Deserialization of Untrusted Data

Typical severity

High

Type index (hex)

0x00101200

Type index (decimal)

1053184