Critical React flaw CVE-2025-55182 is actively exploited. Over 30 organizations breached. Learn how to patch "React2Shell" in React 19 & Next.js apps immediately

Continue reading
The global technology community is facing a severe and urgent security crisis. A maximum-severity vulnerability in React, one of the world's most popular web development libraries, is being actively exploited by nation-state hackers and criminal groups, compromising thousands of servers within days of its disclosure.
Designated CVE-2025-55182 and dubbed "React2Shell," the flaw has drawn direct comparisons to the 2021 Log4Shell event for its ease of exploitation and widespread impact.
This technical deep-dive explores the intricate mechanics of the vulnerability, the sophisticated multi-stage attacks already unfolding, and the critical steps every organization must take immediately.
At its heart, React2Shell is a fundamental flaw in the "Flight" protocol, the system React uses to communicate between server and client components. It stems from insecure deserialization—the unsafe process of converting serialized data from an HTTP request back into executable objects on the server.
How the Exploit Works: Attackers craft a malicious HTTP POST request containing a specially formatted payload. This payload abuses self-referencing JSON structures to trick the server's deserialization logic. By manipulating object properties, attackers can hijack the JavaScript event loop, attaching malicious code to a special `.then` property. When the server automatically attempts to process this, it executes the attacker's commands, resulting in unauthenticated Remote Code Execution (RCE) with a CVSS score of 10.0.
The timeline underscores the extreme urgency:
Real-world exploitation has moved rapidly from reconnaissance to sophisticated post-compromise activities. Security firm Wiz has observed attackers using initial access to launch multi-stage campaigns:
| Attack Phase | Common Activities & Goals |
|---|---|
| Initial Reconnaissance | Running commands like `whoami`, `hostname`, and dumping environment variables to understand the compromised system. |
| Credential & Secret Harvesting | Systematically scouring filesystems for `.env` files, cloud credentials (AWS, Azure), SSH keys, and npm configurations. A primary goal is accessing cloud metadata services to steal IAM roles. |
| Payload Deployment | Installing cryptominers (like XMRig), deploying remote access trojans (RATs) such as VShell, or installing full-featured backdoor frameworks like Sliver for persistent control. |
While the popular Next.js framework has been a primary target due to its default vulnerable configuration, the vulnerability's root lies in core React packages.
This means the threat extends across the modern web development ecosystem.
Affected and Patched Versions:
| Component | Vulnerable Versions | Patched Versions |
|---|---|---|
| React Packages (`react-server-dom-webpack`, `-parcel`, `-turbopack`) | 19.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| Next.js (Using App Router) | 15.x (prior to 15.5.7), 16.x (prior to 16.0.7) | 15.5.7, 16.0.7, or later |
| Other Frameworks | Waku, Vite (with RSC plugin), Parcel, RedwoodJS are also confirmed vulnerable. | Consult framework-specific advisories. |
Given the active exploits, organizations must operate under an "assume breach" mindset for any unpatched, internet-facing React/Next.js application.
1. Immediate Patching is Non-Negotiable: Updating to the patched versions is the only complete remedy. For Next.js applications, note that updating the React package alone is insufficient; you must update the Next.js framework itself.
2. Hunt for Compromise: Review server logs for Indicators of Compromise (IoCs), such as:
3. Implement Interim Protections (Not a Substitute for Patching):
As attackers continue to refine their exploits, the window for defensive action—measured in hours, not days—has nearly closed. For countless organizations worldwide, the immediate and complete remediation of this vulnerability is the most critical IT task at hand.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation
| Lateral Movement | Using the compromised web server as a beachhead to scan and move into internal corporate networks. |