React2Shell (CVE-2025-55182)

What?

A 10.0 critical severity vulnerablility affecting server-side use of React.js, tracked as CVE-2025-55182 in React.js and CVE-2025-66478 specifically for the Next.js framework.

This vulnerability was responsibly disclosed by myself, Lachlan Davidson on 29 November 2025 PT to the Meta team. Initial disclosure and patch release was performed by React and Vercel on 3 December 2025 PT.

Update: Proof-of-Concepts

A real public PoC began circulating after around 30 hours from initial disclosure, I've now shared my PoCs several hours later. Full writeup in due course :)

Update: A note on scanners (4 December 20:55 UTC)

We've seen some great scanners from the likes of Assetnote, which are very effective at detecting unpatched Next.js instances that use Server Components.

However, there's another nuance that we'd like to highlight: The day-0 protections from some providers are actually runtime-level, and not just WAF rules. So many customers with theoretically vulnerable versions are, to our knowledge, still protected.

We're aware of many submissions to Bug Bounty programs, etc. based on these scanner outputs, many of which may be false positives. Unfortuantely, at this point in time, we cannot share any methods to concretely identify with certainity if you are vulnerable. So when in doubt: patch!

Update: A note on invalid PoCs (4 December 03:25 UTC)

We have seen a rapid trend of "Proof of Concepts" spreading which are not genuine PoCs.

Anything that requires the developer to have explicitly exposed dangerous functionality to the client is not a valid PoC. Common examples we've seen in supposed "PoCs" are vm#runInThisContext, child_process#exec, and fs#writeFile.

This would only be exploitable if you had consciously chosen to let clients invoke these, which would be dangerous no matter what. The genuine vulnerability does not have this constraint. In Next.js, the list of server functions is managed for you, and does not contain these.

Many of these "PoCs" have been referenced in publications, and even some vulnerability aggregators. We are concerned that these may lead to false negatives when evaluating if a service is vulnerable, or lead to unpreparedness if or when a genuine PoC surfaces.

Am I affected?

Refer to vendor advisories from React and Next.js.

What happened to CVE-2025-66478?

This CVE was (technically correctly) marked as a duplicate of CVE-2025-55182.

The decision to publish a second CVE for Next.js was made due to these exceptional circumstsances: Next.js does not include React as a traditional dependency - instead, they bundle it "vendored". So, if you're using Next.js, many dependency tools do not automatically recognise it as vulnerable.

Aditional React vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779)

Denial of Service - High Severity: CVE-2025-55184 and CVE-2025-67779 (CVSS 7.5)

(CVE-2025-55184 was incompletely fixed, leading to the full fixes being tracked under CVE-2025-67779.)

"Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment."

Source Code Exposure - Medium Severity: CVE-2025-55183 (CVSS 5.3)