Critical React2Shell Flaw in React & Next.js Puts Web Servers at Risk
Executive Summary
In June 2024, a critical vulnerability known as 'React2Shell' was discovered in the React Server Components (RSC) 'Flight' protocol, impacting React and Next.js applications worldwide. This flaw enables unauthenticated remote code execution (RCE), allowing attackers to execute arbitrary JavaScript code on affected web servers. Security researchers observed that threat actors could exploit the protocol by sending crafted requests, potentially leading to a full compromise of application environments and exposure of sensitive data or further lateral movement within networks.
This incident underscores heightened risk in modern web application supply chains and the urgent need for timely patching within frameworks. Growing attacks on open-source packages and widespread usage of React/Next.js frameworks amplify the incident's relevance, especially as application-layer vulnerabilities facilitate high-impact breaches at scale.
Why This Matters Now
This vulnerability’s ease of exploitation and broad impact on popular web frameworks make it a top priority for remediation. Organizations using React or Next.js face immediate exposure to unauthenticated remote code execution, threatening service continuity, data confidentiality, and compliance posture. Rapid adoption of patches and enhanced application security measures are urgently needed.
Attack Path Analysis
Attackers exploited a critical unauthenticated remote code execution vulnerability in React/Next.js applications, gaining an initial foothold via the exposed 'Flight' protocol. They leveraged remote shell access to escalate privileges or manipulate application environment variables. With access to the workload, the attackers attempted lateral movement to adjacent internal services or containers. External command and control channels were established to maintain persistent access. Sensitive data was exfiltrated using encrypted or covert channels to external destinations. Finally, the attackers were positioned to disrupt operations, deploy ransomware, or manipulate workloads, impacting business continuity.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the unauthenticated React2Shell vulnerability to remotely execute code on exposed application servers.
Related CVEs
CVE-2025-55182
CVSS 10An unauthenticated remote code execution vulnerability in React Server Components due to unsafe deserialization in the Flight protocol.
Affected Products:
Meta React – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Vercel Next.js – 15.x, 16.x
Exploit Status:
exploited in the wildReferences:
https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/https://www.radware.com/security/threat-advisories-and-attack-reports/react2shell-a-cvss-10-0-rce-vulnerability-in-react-server-components-cve-2025-55182/https://www.thehackerwire.com/react2shell-exploit-wave-batters-unpatched-react-and-next-js-servers/
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Exploitation for Privilege Escalation
Access Token Manipulation
Valid Accounts
Exploitation of Remote Services
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Public-Facing Applications
Control ID: 6.2.3
NIS2 Directive – Risk Management Measures — Security of Network and Information Systems
Control ID: Article 21(2)
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 8
CISA Zero Trust Maturity Model 2.0 – Secure Design and Configuration of Applications
Control ID: Pillar: Applications - Capability: Secure Application Development (2.1)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical React2Shell vulnerability enables unauthenticated remote code execution in React/Next.js applications, requiring immediate patching and enhanced application security controls.
Financial Services
Banking platforms using React/Next.js face severe data breach risks from server-side code execution, violating PCI compliance and enabling unauthorized transaction processing.
Health Care / Life Sciences
Healthcare applications vulnerable to patient data theft and system compromise through React Server Components exploitation, breaching HIPAA requirements for data protection.
E-Learning
Educational platforms risk student data exposure and service disruption as attackers exploit React2Shell to execute malicious code on learning management systems.
Sources
- Critical React, Next.js flaw lets hackers execute code on servershttps://www.bleepingcomputer.com/news/security/critical-react2shell-flaw-in-react-nextjs-lets-hackers-run-javascript-code/Verified
- Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Componentshttps://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/Verified
- React2Shell, a CVSS 10.0 RCE Vulnerability in React Server Components (CVE-2025-55182)https://www.radware.com/security/threat-advisories-and-attack-reports/react2shell-a-cvss-10-0-rce-vulnerability-in-react-server-components-cve-2025-55182/Verified
- React2Shell exploit wave batters unpatched React and Next.js servershttps://www.thehackerwire.com/react2shell-exploit-wave-batters-unpatched-react-and-next-js-servers/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, east-west security, strict egress controls, and threat detection at each stage would have significantly constrained the attack path, minimizing lateral movement, exfiltration, and impact—even if initial compromise occurred.
Control: Cloud Firewall (ACF)
Mitigation: Inbound exploit attempts could be blocked at the network edge.
Control: Kubernetes Security (AKF)
Mitigation: Pod-to-pod segmentation would limit privilege escalation and reduce blast radius.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation prevents unauthorized east-west movement.
Control: Threat Detection & Anomaly Response
Mitigation: Malicious outbound traffic patterns are detected in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved data transfers and suspicious destinations are blocked.
Real-time enforcement and distributed controls reduce the risk and scope of destructive operations.
Impact at a Glance
Affected Business Functions
- Web Applications
- E-commerce Platforms
- Content Management Systems
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive user data, including personal information and payment details, due to unauthorized access and code execution on affected servers.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy restrictive cloud firewall rules to minimize the application attack surface exposed to the internet.
- • Implement Zero Trust segmentation and microsegmentation to constrain lateral movement between workloads, regions, and clusters.
- • Enforce granular egress controls and monitor for unauthorized external communications to disrupt exfiltration and command-and-control activity.
- • Leverage real-time threat detection and anomaly response to rapidly identify and contain exploit-driven intrusions.
- • Regularly patch and update cloud-native applications to remediate known vulnerabilities and enforce continuous visibility across hybrid-cloud environments.
