React2Shell: Critical Pre-Auth RCE in React Server Components

Summary

In early December 2025, a critical remote code execution vulnerability was disclosed in React that allows unauthenticated attackers to execute arbitrary code on affected servers. The flaw, tracked as CVE-2025-55182 and assigned a CVSS score of 10.0, impacts React’s Server Components (RSC) implementation and has been described by multiple researchers as trivial to exploit.

The issue originates in how React handles server action metadata in RSC. Prior to the patch, the server incorrectly trusts client-supplied identifiers and does not sufficiently validate whether the requested functions are legitimate exported server actions. This trust boundary failure enables attackers to manipulate module resolution on the backend.

By abusing this logic, a remote actor can force the server to load internal Node.js modules and invoke privileged functions such as child_process.execSync, resulting in full command execution with the privileges of the React server process.

Why React2Shell Is High Impact

Exploitation requires no authentication and no user interaction. A single crafted HTTP request that mimics a valid RSC “Flight” call is sufficient to reliably trigger code execution. In testing environments, exploitation was observed to work consistently with near-100% success rates.

Once an RSC endpoint is compromised, it effectively becomes the initial intrusion vector (IIV) for further attacks. From there, a threat actor can:

Exfiltrate secrets and credentials
Deploy web shells or other persistence mechanisms
Pivot laterally across the environment
Deliver secondary payloads or fully compromise the infrastructure

Given React’s role as a foundational component of modern web applications, the blast radius of this vulnerability is significant.

Affected Versions and Ecosystem Exposure

The vulnerability affects React versions 19.0.0 through 19.2.0, along with any frameworks that bundle React Server Components. This includes Next.js 15 and 16, meaning many production deployments inherit the flaw indirectly.

Public proof-of-concept exploits became available on the same day as disclosure (December 3, 2025). These PoCs demonstrate direct OS command execution via manipulated multipart/form-data requests that masquerade as legitimate RSC server actions.

Active Exploitation Observed

The availability of working PoCs quickly led to real-world exploitation. Security researchers observed scanning and exploitation attempts within hours of disclosure. Early activity has been attributed to multiple China-aligned threat actors, including EARTH LAMIA and JACKPOT PANDA.

While some managed cloud services were not directly affected, any internet-exposed React RSC endpoint that was reachable prior to December 3, 2025 should be treated as potentially compromised until proven otherwise through investigation.

Following the public disclosure of React2Shell (CVE-2025-55182) on December 3, 2025, our security monitoring systems began detecting active exploitation attempts almost immediately.

As shown in the timeline above, low-volume probing activity started shortly after disclosure, followed by a sharp and sustained increase in malicious requests beginning on December 4. This aligns closely with the release of public proof-of-concept exploits and confirms that the vulnerability moved rapidly from disclosure to active weaponization.

Confirmed Exploitation Attempt

One representative security event captured by our detection pipeline is shown below:

The request was a crafted multipart/form-data POST, designed to mimic a legitimate React Server Components (RSC) action call. Inspection of the payload shows clear indicators of React2Shell exploitation:

Abuse of RSC action metadata and prototype manipulation
Injection of server-side function resolution logic
Explicit attempt to execute arbitrary OS commands via Node.js internals

Notably, the payload attempts to invoke TCP connection back to one of Burpsuite tools, collaborator.

In addition to individual exploitation attempts, we analyzed the geographic distribution of observed React2Shell attack traffic across our monitored environments.

Between initial disclosure and peak exploitation activity, the top 10 source countries generating React2Shell exploitation attempts were:

**Geographic distribution of exploitation attempts**

While source IP geolocation should not be treated as attribution, the broad geographic spread strongly suggests automated mass scanning and exploitation, rather than targeted activity from a single region.

The volume and diversity of source locations indicate that the exploit was rapidly incorporated into commodity scanning frameworks and bot infrastructure, further reinforcing how quickly React2Shell transitioned from public disclosure to widespread weaponization.

Conclusion

Although React2Shell represents a critical, pre-authentication remote code execution vulnerability, its impact was significantly reduced by early visibility and rapid detection.

Our security monitoring systems identified exploitation attempts immediately after public proof-of-concept code became available, with widespread attack activity observed within the first 24 hours. Despite the rapid weaponization and global scanning activity, all detected exploitation attempts were blocked, and no successful compromises were observed across customer environments.

This incident demonstrates how quickly widely used technologies can become high-risk attack surfaces, and how essential real-time detection and behavioral inspection are when patch timelines are measured in hours rather than days.

Most importantly, our clients remained protected from the very first day of active exploitation, even before many organizations had completed patch deployment. No post-exploitation activity, persistence mechanisms, or lateral movement were detected.

React2Shell serves as a reminder that effective security is not solely about patching speed, but about visibility, detection, and response at the moment an exploit becomes operational.