A critical remote code execution (RCE) vulnerability in React Server Components, identified as CVE-2025-55182 and named React2Shell, was discovered by security researchers at Tenable. The vulnerability stems from an issue with the deserialization of untrusted data, allowing attackers to execute arbitrary code on the server. Tenable disclosed the findings to the React core team on September 5, 2024.

What is CVE-2025-55182 (React2Shell)?

React2Shell is a vulnerability that affects applications using React Server Components (RSC). RSCs allow components to be rendered on the server, with their output streamed to the client. The flaw exists in the mechanism that handles serialized data passed from the client back to the server. An attacker can craft a malicious serialized object that, upon being processed by the server, leads to remote code execution. This gives the attacker control over the affected server, compromising its integrity and the data it holds.

Affected Versions and Remediation

The vulnerability impacts several popular libraries and frameworks that implement React Server Components. The primary recommendation for all users is to upgrade to the patched versions immediately to mitigate the risk of exploitation. The following versions contain the necessary security fixes:

Next.js: Patches are available in versions 14.1.1, 14.2.4, and 15.0.0-rc.0.

React Libraries: The underlying React libraries have also been updated. Users should ensure they are using react-server-dom-webpack version 18.3.0-canary-230dd6954-20240425 or later, and react-dom version 18.3.1 or later.

Developers and system administrators are urged to review their dependencies and apply these updates to protect their applications from the React2Shell vulnerability.

Source: https://www.tenable.com/blog/react2shell-cve-2025-55182-react-server-components-rce