React Server Components (RSC) have significantly enhanced web application performance by allowing server-side processing while maintaining the reactivity of client-side React. Cependant, a critical security vulnerability, named React2Shell (CVE-2025-55182), has been discovered that threatens millions of web applications. This vulnerability allows for unauthenticated remote code execution (RCE) and carries a maximum severity rating of CVSS 10, underscoring its critical nature.
Dans ce guide, we explore the details of React2Shell, affected frameworks, potential risks, mitigation steps, and best practices for securing your React-based infrastructure.
What is React2Shell (CVE-2025-55182)?
React2Shell is a vulnerability affecting React Server Components, as well as frameworks and bundlers that depend on them, including Next.js, React Router, Waku, and various RSC plugins for Vite and Parcel. The root cause stems from unsafe handling of serialised payloads. When a malicious HTTP request reaches a server function endpoint, React deserialises the payload without adequate validation, potentially allowing attackers to execute arbitrary code on the server.
This vulnerability impacts several widely used React versions:
- 19.0.0
- 19.1.0
- 19.1.1
- 19.2.0
And the following packages:
- react-server-dom-parcel
- react-server-dom-turbopack
- react-server-dom-webpack
Even applications that do not explicitly use React Server Components may be indirectly affected if they rely on libraries that support RSC.
Hébergement Web WordPress
À partir de 3,99 $ / mensuel
Why React2Shell is a Critical Threat
The unauthenticated nature of React2Shell makes it particularly dangerous. Attackers do not require login credentials or API tokens; they only need to craft a malicious HTTP request to exploit the vulnerability. The impact can include:
- Full server compromise
- Data exfiltration from vulnerable applications
- Deployment of ransomware or malware in cloud-hosted React apps
- Mass exploitation in automated attack campaigns
Security researchers estimate that up to 40% of cloud environments using React and Next.js may be exposed, while Unit 42 reports nearly one million potentially affected servers worldwide.
The combination of widespread adoption and critical severity explains why immediate mitigation is imperative. According to react.dev:
“An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server.”
How React Server Components Work
React Server Components (RSC) allow developers to run certain parts of a React application on the server while keeping the rest on the client, improving performance, reducing bundle sizes, and enhancing SEO.
Serveur VPS pas cher
À partir de 2,99 $/mois
Cependant, this duality introduces a potential attack surface if payloads sent from the client are not handled securely. The RSC workflow involves several key steps:
- Client-Server Function Mapping: When a client interacts with a component, React translates these function calls into HTTP requests directed at server endpoints. This abstraction allows the client to request data or execute functions without directly exposing server logic.
- Server Function Execution: Once received, the server deserialises the HTTP payload and executes the corresponding server function. It is at this stage that the React2Shell vulnerability arises, as improper validation of serialized payloads can permit attackers to inject malicious instructions, potentially achieving remote code execution.
- Data Return: After executing the function, the server returns only the necessary data to the client. This selective transfer maintains application performance and ensures minimal data exposure, but if step 2 is compromised, the server itself becomes vulnerable.
By highlighting the flaw in step 2, it becomes clear why securing deserialization and validating payloads is critical to preventing attacks like React2Shell.
Frameworks and Bundlers Impacted by React2Shell
Several widely used frameworks and bundlers integrate React Server Components into their workflows, meaning that a vulnerability in RSC can propagate to applications indirectly. Developers must review their entire dependency tree to understand potential exposure and plan mitigation steps accordingly.
Affected frameworks include:
- Next.js: Known for server-side rendering (SSR) and hybrid static applications, Next.js leverages RSC to optimise page rendering. Vulnerable versions can unintentionally expose server endpoints to attackers.
- React Router: While commonly used for client-side routing, its experimental RSC APIs may inherit RSC vulnerabilities.
- Waku: A modern React framework that relies heavily on RSC for dynamic server-client integration. Misconfigured instances can be exploited through crafted payloads.
Vulnerable bundler plugins include:
Hébergement VPS Windows
Remote Access & Full Admin
- @parcel/rsc
- @vitejs/plugin-rsc
- Redwood SDK (rwsdk)
Even if the core application code does not use RSC endpoints directly, these frameworks and plugins may introduce vulnerabilities, making it crucial for developers to audit all dependencies and apply updates promptly.
Identifying Vulnerable Versions
To determine if your applications are at risk, a detailed version audit is necessary. This ensures that no vulnerable component is left unpatched.
- React Server Component versions: The vulnerable range is 19.0.0 through 19.2.0.
- RSC Packages: Verify that react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack are updated to secure versions.
- Peer Dependencies: Frameworks such as Next.js, React Router, and Waku may include these RSC packages indirectly. Checking these dependencies is essential to prevent hidden exposures.
Here’s a practical example of version auditing using npm:
- npm list react-server-dom-webpack
- npm list react-server-dom-parcel
- npm list react-server-dom-turbopack
Performing these checks ensures that you identify all components susceptible to React2Shell and helps prioritize patching efforts.
Immediate Mitigation and Upgrade Strategy
React has released patched versions for all vulnerable RSC packages. Immediate action is necessary because temporary mitigations provided by hosting providers alone do not fully secure applications.
Package Upgrades
- React Server Component Packages:
- react-server-dom-parcel → latest version
- react-server-dom-turbopack → latest version
- react-server-dom-webpack → latest version
- Framework-specific Upgrades:
- Next.js:
o npm install [email protected] # for 15.0.x
o npm install [email protected] # for 15.1.x
o npm install [email protected] # for 15.2.x
o npm install [email protected] # for 15.3.x
o npm install [email protected] # for 15.4.x
o npm install [email protected] # for 15.5.x
o npm install [email protected] # for 16.0.x
- React Router:
o npm install react@latest react-dom@latest react-server-dom-parcel@latest react-server-dom-webpack@latest @vitejs/plugin-rsc@latest
- Redwood SDK: Ensure rwsdk ≥ 1.0.0-alpha.0 or use the latest beta release.
- Waku and Vite RSC Plugins: Upgrade react-server-dom-webpack and corresponding RSC plugin versions.
Temporary Hosting Provider Mitigations
While some cloud providers have implemented temporary patches to reduce exposure, relying solely on these mitigations is not secure. Immediate package upgrades remain the primary defence against exploitation.
Note: For environments that rely on React Server Components, using a robust VPS solution with full root access, like those offered by Colonel Maneged VPS Hosting, can simplify patch deployment and testing.
Step-by-Step Vulnerability Management
Managing React2Shell effectively requires a structured approach:
- Inventory All React Packages: Use npm or yarn to identify every dependency capable of RSC functionality.
- Check Versions: Verify that all packages fall outside vulnerable ranges.
- Update Dependencies: Apply patched versions to eliminate exposure.
- Validate Server Function Usage: Assess whether any indirect dependencies might still expose RSC endpoints.
- Test Applications: After updating, confirm that the application functions as expected without regression.
Following these steps ensures a comprehensive response to React2Shell and reduces the likelihood of residual vulnerabilities.
Preventive Measures Beyond Patching
Even after applying the necessary updates, adopting strong development and deployment practices will reduce future risk from similar vulnerabilities. Recommended Practices are:
- Disable Unused Server Functions: Only enable server-side endpoints that are actively required, reducing potential attack surfaces.
- Input Validation: Enforce strict validation and sanitation of all data sent from clients to the server, preventing injection attacks.
- Automated Dependency Updates: Tools like Dependabot or Renovate can automatically detect vulnerable packages and propose updates.
- Code Audits: Periodically review third-party packages for unsafe deserialization patterns and other security issues.
These measures complement patching and create a more resilient application architecture.
Lessons from React2Shell
The React2Shell incident highlights critical lessons for developers and organisations working with modern web frameworks:
- Complexity Breeds Vulnerabilities: Hybrid server-client frameworks like RSC introduce new potential attack vectors.
- Indirect Dependencies Matter: Applications may be vulnerable even without direct use of RSC endpoints if dependent packages include them.
- Rapid Patch Deployment is Essential: High-severity vulnerabilities (CVSS 10) require immediate, organization-wide action to minimize risk.
Example: A SaaS platform managing multiple Next.js applications could automate patch deployment through CI/CD pipelines. This approach reduces human error, ensures consistent security updates, and mitigates exposure to attacks like React2Shell.
Conclusion
React2Shell (CVE-2025-55182) represents a critical RCE vulnerability in the React ecosystem, particularly affecting Server Components and related frameworks. The combination of unauthenticated access, widespread adoption, and a CVSS 10 rating makes it a top security priority. Immediate steps include:
- Upgrading all vulnerable RSC packages
- Updating affected frameworks and plugins
- Validating server function usage
- Employing preventive coding practices
By proactively managing these updates and implementing secure practices, developers can maintain a resilient, performant, and secure React-based environment.
FAQs About React2Shell and RSC Vulnerabilities
Is my React app vulnerable if I don’t use server functions?
If your app and its dependencies do not implement React Server Components or server function endpoints, it is not affected. Cependant, always verify indirect dependencies.
How quickly should I apply patches?
Immediately. CVSS 10 vulnerabilities are critical, and any delay increases the risk of exploitation.
Are the hosting provider’s mitigations sufficient?
Non. Temporary patches may reduce exposure but cannot fully prevent attacks. Updating dependencies is mandatory.
Can automated tooling help prevent future vulnerabilities?
Oui. Tools like Dependabot, Renovate, and npm audit can automatically notify and upgrade vulnerable packages.
What frameworks are affected besides React?
Next.js, React Router, Waku, Redwood SDK, and certain Vite/Parcel RSC plugins are impacted.