> ## Documentation Index
> Fetch the complete documentation index at: https://help.onetsolutions.net/llms.txt
> Use this file to discover all available pages before exploring further.

# React2Shell (CVE-2025-55182): Unauthenticated RCE in React Server Components

> Unsafe deserialisation in React 19's Flight protocol allows arbitrary code execution on the server. CVSS 10.0, active exploitation.

*Published on December 10, 2025*

<Warning>
  **CVE-2025-55182 — "React2Shell" — CVSS 10.0.** Remote code execution, unauthenticated, on Next.js servers and other frameworks built on React 19 + Server Components. Active exploitation in the wild.
</Warning>

## Why this one is serious

If you run **React 19 with Server Components** (which includes most recent Next.js apps in App Router mode), your server executes deserialisation code for the Flight protocol on every request. Flight serialises server components between Node.js and the browser — and that is exactly where the bug lives.

By crafting a malicious Flight request, an **unauthenticated** attacker can:

1. Manipulate internal objects used for module resolution,
2. Hijack Flight callbacks toward sensitive Node.js primitives,
3. End up executing shell commands on the host.

## What it gets you, as an attacker

Once RCE is achieved, the playbook is the usual brutal one:

* Theft of environment variables and server-side secrets,
* Lateral movement to internal services reachable from the pod or VM,
* Persistence via cron, daemon, or a backdoor injected in the bundle,
* Cryptominer or C2 deployment on the cloud infrastructure.

Several state-affiliated threat groups have been observed exploiting the flaw.

## Versions to upgrade

### React Server Components

The packages `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`, in versions 19.0.0 → 19.2.0, must move to:

* `19.0.1`
* `19.1.2`
* `19.2.1`

### Next.js (App Router)

Upgrade to the patched version closest to your current branch:

| Next.js branch | Patched version |
| -------------- | --------------- |
| 15.0           | 15.0.5          |
| 15.1           | 15.1.9          |
| 15.2           | 15.2.6          |
| 15.3           | 15.3.6          |
| 15.4           | 15.4.8          |
| 15.5           | 15.5.7          |
| 16.0           | 16.0.7          |

After upgrading, **redeploy all affected services** — a plain `pnpm install` without a rebuild is not enough.

## Immediate response

1. **Inventory**: list every React 19 / Next.js App Router workload in your infrastructure (production, staging, PR previews…).
2. **Patch**: apply the patched versions everywhere.
3. **Contain**: restrict public access to services that cannot be patched immediately.
4. **Investigate**: audit logs for suspicious execution, rotate exposed secrets (API keys, session tokens, environment variables), increase monitoring on unpatched hosts until the migration is complete.

## Check your versions

```bash theme={null}
# Installed versions
pnpm list react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack next

# On a Next.js workspace
npx next --version
```

## Resources

For technical assistance, open a ticket from your [OnetSolutions client area](https://onetsolutions.net).
