TL;DR

CVE-2025-55182 "React2Shell" (CVSS 10.0, CISA KEV) is an unauthenticated RCE in React Server Components caused by insecure deserialization in React's Flight protocol. Any exposed RSC endpoint is a one-request RCE — no auth, no special setup. Exploitation in the wild was confirmed in December 2025; a large-scale credential-harvesting campaign had compromised at least 766 hosts by April 2026. Patch to the fixed React version immediately.

What happened

Security researchers disclosed a critical deserialization vulnerability in React's Flight protocol — the wire format used to stream React Server Component payloads. React did not properly validate payloads sent to React Server Function endpoints, allowing an unauthenticated attacker to craft a malicious payload that triggers arbitrary code execution on the server.

Root cause: Insecure deserialization in the RSC Flight protocol payload decoder. Attacker-controlled input is decoded and instantiated as framework objects without sanitization.

Affected frameworks (any that expose an RSC endpoint): - React 18.x / 19.x (RSC mode) - Next.js (all versions with App Router / RSC enabled) - Waku (RSC-first framework) - React Router (RSC preview mode) - RedwoodSDK (RSC mode) - Parcel RSC plugin - Vite RSC plugin

Exploitation timeline: - 2025-12-05: First exploitation attempts detected in the wild (Windows and Linux) - 2025-12-xx: CISA adds CVE-2025-55182 to KEV catalog - 2025-12-31: ~90,300 instances still exposed - 2026-01: RondoDox botnet exploits React2Shell to hijack IoT devices and web servers - 2026-04: Large-scale credential harvesting campaign observed; at least 766 hosts confirmed compromised — attackers steal database credentials, SSH keys, AWS secrets, shell history, Stripe API keys, and GitHub tokens; also deploy cryptomining and backdoors - 2026-06: ~68,400 U.S. instances remain; patch adoption still incomplete

Downstream note: The vulnerability surfaces in the Next.js May 2026 security release as a related RSC DoS (CVE-2026-23870) — a separate issue in the same component family, addressed in the same release window. React2Shell itself predates that batch.

Am I affected?

# Check React version
node -e "console.log(require('react/package.json').version)"

# Patched versions:
# React 19.0.4, 19.1.5, 19.2.4 (and later)
# Next.js: 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 16.0.11, 16.1.5
# Check your Next.js version:
node -e "console.log(require('next/package.json').version)"

You are only exposed if your app: 1. Uses React Server Components (RSC / Server Actions / App Router), AND 2. Exposes an RSC endpoint to the public internet (or to untrusted network callers)

Vite-only apps using React in classic client mode (no RSC) are not affected.

If you are affected

  1. Patch immediately: upgrade React to 19.0.4 / 19.1.5 / 19.2.4+ and Next.js to the corresponding fixed version.
  2. Rotate all credentials on any server that ran an exposed RSC endpoint — attackers demonstrated full credential harvest in the wild.
  3. Check for backdoors: look for unexpected cron jobs, systemd services, or SSH authorized_keys entries added since December 2025.
  4. See playbooks/auditing-a-vibe-coded-repo.md.

Prevention

  • Keep React and Next.js up to date — this class of deserialization bug requires framework-level patching.
  • Do not expose RSC endpoints directly to the public internet unless necessary; place them behind an auth layer.
  • Use a WAF (Cloudflare, Vercel WAF, AWS WAF) with rules for abnormal RSC payload size/structure as a defense-in-depth layer.
  • Monitor for RCE IOCs: unexpected outbound connections (cryptomining C2, exfil endpoints), new users/cron jobs/SSH keys.

Sources