Critical React, Next.js Flaw Lets Hackers Execute Code On Servers

A maximum severity vulnerability, dubbed 'React2Shell', in the React Server Components (RSC) 'Flight' protocol allows remote code execution without authentication in React and Next.js applications.

The security issue stems from insecure deserialization. It received a severity score of 10/10 and has been assigned the identifiers CVE-2025-55182 for React and CVE-2025-66478 (CVE rejected in the National Vulnerability Database) for Next.js.

Security researcher Lachlan Davidson discovered the flaw and reported it to React on November 29. He found that an attacker could achieve remote code execution (RCE) by sending a specially crafted HTTP request to React Server Function endpoints.

"Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components [RCS]," warns the security advisory from React.

The following packages in their default configuration are impacted:

React is an open-source JavaScript library for building user interfaces. It's maintained by Meta and widely adopted by organizations of all sizes for front-end web development.

Next.js, maintained by Vercel, is a framework built on top of React that adds server-side rendering, routing, and API endpoints.

Both solutions are widely present in cloud environments through front-end applications that help scale and deploy architectures faster and easier.

Researchers at Wiz cloud security platform warn that the vulnerability is easy to exploit and exists in the default configuration of the affected packages.

According to React, the vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Next.js is impacted in experimental canary releases starting with 14.3.0-canary.77, and all releases of the 15.x and 16.x branches below the patched versions.

Source: BleepingComputer