Critical React & Next.js Vulnerability(React2Shell)

Executive Summary

A critical vulnerability affecting React Server Components (RSC) and downstream frameworks such as Next.js has been publicly disclosed.
The primary flaw, CVE-2025-55182, received the maximum severity rating: CVSS 10.0 (Critical) due to its ability to enable unauthenticated Remote Code Execution (RCE) on vulnerable servers.

Next.js initially published a separate identifier (CVE-2025-66478), but the issue was later confirmed as a React-level vulnerability introduced through the RSC Flight protocol.

As a global offensive security firm specializing in real-world exploitation, cloud attack paths, and secure architecture reviews, Bluefire Redteam analyzed the vulnerability and its impact on modern production environments.
This publication distills the issue into a clear, accurate, and actionable technical advisory for CISOs, engineering leaders, and security teams.

Overview of the Critical React & Next.js Vulnerabilities

React Server Components allow developers to offload logic to the server while dynamically streaming UI fragments to the client via the React Flight protocol.

The vulnerability originates from unsafe deserialization of untrusted client-supplied Flight payloads.
This means:

An attacker can send a specially crafted RSC request → React deserializes it incorrectly → the request triggers unintended execution paths → resulting in arbitrary code execution on the server.

No authentication is required.
No user interaction is needed.
A single payload can compromise the server.

Breakdown of CVE-2025-55182 and CVE-2025-66478

From Bluefire Redteam’s offensive research standpoint, this is one of the highest-impact JavaScript ecosystem vulnerabilities in recent years.

1. Unauthenticated Remote Code Execution (RCE)

An attacker gains direct execution capability on the server — often with access to environment variables, internal tokens, backend API keys, and cloud metadata endpoints.

2. Affects Default Configurations

Even a new create-next-app using the App Router could be vulnerable without developers adding any custom functionality.

3. Cloud-Scale Impact

Thousands of production Next.js apps run on:

• Vercel
• AWS Lambda / Fargate
• Google Cloud Run
• Docker / Kubernetes
• DigitalOcean App Platform

In these platforms, a single exploited service may expose entire cloud environments.

4. High Reliability of Exploitation

Industry analysis shows this RCE is extremely reliable under default server configurations.
This dramatically increases the likelihood of widespread automated exploitation.

Affected Versions of React and Next.js

React (RSC-enabled versions)

Vulnerable:

• 19.0.0
• 19.1.x
• 19.2.x

Patched:

• 19.0.1
• 19.1.2
• 19.2.1 and newer

Next.js (App Router)

Patched versions include:

• 15.0.5
• 15.1.9
• 15.2.6
• 15.3.6
• 15.4.8
• 15.5.7
• 16.0.7

Also affected

Any platform, bundler, or custom SSR setup using:

• react-server-dom-webpack
• react-server-dom-turbopack
• react-server-dom-parcel

Not affected

• React 18 (client-only builds)
• Next.js Pages Router applications
• Edge Runtime deployments
• Apps not using Server Components

This aligns with official vendor guidance and public disclosures.

How to Patch and Secure Your React/Next.js Applications

1. Upgrade React & Next.js

npm install next@latest react@latest react-dom@latest

2. Regenerate lockfiles

rm -rf node_modules package-lock.json
npm install
npm run build

3. Verify no vulnerable RSC packages remain

npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack

4. Redeploy all environments

Ensure production, staging, and preview deployments are running the patched build — not cached runtimes or outdated Node.js layers.

5. Re-scan with SCA tools

Use:

• npm audit
• Snyk
• Dependabot
• GitHub security scans

Confirm CVE-2025-55182 / CVE-2025-66478 are no longer flagged.

Bluefire Redteam Recommendations for CISOs

1. Treat this as an urgent patching priority

Internet-facing Next.js/React services should be updated immediately.

2. Enable temporary WAF protections

Block suspicious RSC/Flight payload patterns until your environment is verified safe.

3. Conduct an RSC exposure audit

We recommend reviewing:

• Server Actions
• Server Components
• API routes
• Internal SSR logic
• Node microservices depending on RSC packages

4. Integrate CI/CD safety gates

Your CI pipeline should fail if:

• Vulnerable React 19 versions are introduced
• Any react-server-dom-* package appears
• Next.js resolves to outdated RSC builds

5. Consider a post-patch validation assessment

Our team performs lightweight but deep technical audits to ensure:

• patches were applied correctly
• no backdoors or lateral movement artifacts exist
• no vulnerable RSC entrypoints remain
• cloud IAM & serverless functions were not affected

Bluefire Redteam Final Statement

As the JavaScript landscape evolves, frameworks like React and Next.js are increasingly complex — and so are their attack surfaces.

CVE-2025-55182 demonstrates that modern UI frameworks can introduce server-side execution risks that rival traditional backend vulnerabilities.

With timely patching, thorough validation, and strong runtime observability, organizations can completely neutralize this threat.

If your security or engineering team needs support validating exposure, confirming patch integrity, or conducting a full supply-chain audit, Bluefire Redteam is ready to assist.

Responsible Disclosure Note

This advisory is based solely on publicly available information from official React and Next.js security notices and reputable cybersecurity research sources. No exploit code or sensitive attack details are included.