• CVE-2025-55182 (also dubbed “React2Shell”) is a critical remote-code-execution (RCE) vulnerability in React Server Components (RSC).
• The vulnerability stems from unsafe deserialization of incoming HTTP request payloads in the “Flight” protocol handling RSC — malformed or malicious payloads can trigger arbitrary code execution on the server.

Read more

• React Server Components — specifically packages react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, in versions 19.0.0, 19.1.0, 19.1.1, 19.2.0.
• Frameworks and tools built on top of React RSC, including Next.js (versions 15.x and 16.x with App Router), and other RSC-enabled bundlers/plugins (e.g. Vite RSC plugin, Parcel RSC plugin, RedwoodSDK, Waku, React Router RSC mode).

How attackers exploit this vulnerability (attack vector)

• An unauthenticated attacker sends a specially crafted HTTP request to an RSC “Server Function” endpoint.
• Because the server improperly handles/deserializes the request data, the attacker-controlled payload triggers server-side execution of arbitrary JavaScript code — meaning full remote code execution under the server’s privileges.

CERTVU recommend:

Patch Immediately

Update React Server Components packages to fixed versions: react-server-dom- → version 19.0.1, 19.1.2, or 19.2.1.