Inside Vercel’s 2025 React2Shell Race: Supply-Chain RCE and the Open Source Security Wake-up Call
Executive Summary
In late 2025, Vercel—maintainers of the popular Next.js framework—faced a critical cybersecurity incident involving the React2Shell vulnerability (CVE-2025-55182). Discovered just after Thanksgiving, this supply-chain flaw in React Server Components enabled unauthenticated remote code execution across multiple frameworks and bundlers in default configurations. A rapid, global response mobilized Vercel, open-source contributors, major cloud providers, and security vendors who coordinated mitigations and validated patches within days. Despite these efforts, over 60 organizations were compromised, with attackers from cybercriminal, ransomware, and nation-state groups exploiting disclosed weaknesses, leading to millions of exploit attempts and sustained attack volumes.
The React2Shell episode highlighted the ongoing risks inherent in reliance on open-source components and the urgent need for collaborative, industry-wide response standards. Attackers have rapidly adopted similar techniques, sustaining high exploitation rates and revealing critical gaps in software supply-chain security.
Why This Matters Now
This incident underscores the growing threat from supply-chain vulnerabilities in foundational open-source technologies at the heart of cloud-native architectures. Given the scale and persistence of attacks, rapid detection, coordinated patching, and improved community security workflows are urgent to prevent cascading impacts across the digital ecosystem.
Attack Path Analysis
Attackers exploited the React2Shell vulnerability (CVE-2025-55182) in exposed Next.js and React Server Component applications, resulting in initial remote code execution. The attackers then escalated privileges within the targeted workloads through further exploitation or misuse of default permissions. Subsequently, adversaries moved laterally across cloud workloads and services via east-west traffic to identify additional exploitable assets. They established outbound command and control channels to remotely manage compromised environments. Sensitive data and credentials were then exfiltrated through allowed outbound channels or covert exfiltration techniques. Finally, adversaries leveraged access to disrupt services, deploy ransomware, or otherwise impact business continuity.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited the React2Shell vulnerability in publicly accessible Next.js applications, obtaining remote code execution.
Related CVEs
CVE-2025-55182
CVSS 10A pre-authentication remote code execution vulnerability in React Server Components allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests.
Affected Products:
Meta React Server Components – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Vercel Next.js – 15.0.0, 15.1.0, 15.2.0, 15.3.0, 15.4.0, 15.5.0, 16.0.0
Exploit Status:
exploited in the wildCVE-2025-55184
CVSS 7.5A denial of service vulnerability in React Server Components allows attackers to send crafted HTTP requests that cause infinite loops, leading to server resource exhaustion.
Affected Products:
Meta React Server Components – 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, 19.2.2
Vercel Next.js – 13.x, 14.x, 15.x, 16.x
Exploit Status:
proof of conceptCVE-2025-55183
CVSS 5.3A source code exposure vulnerability in React Server Components allows attackers to send crafted HTTP requests that can reveal the source code of server functions.
Affected Products:
Meta React Server Components – 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, 19.2.2
Vercel Next.js – 13.x, 14.x, 15.x, 16.x
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Client Execution
Command and Scripting Interpreter
Valid Accounts
Impair Defenses
Exploitation of Remote Services
Data Encrypted for Impact
Obtain Capabilities
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Timely Deployment of Security Patches
Control ID: 6.2.2
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Continuous Vulnerability Management
Control ID: Application and Workload Pillar: Continuous Vulnerability Management
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
ISO/IEC 27001:2022 – Secure Development Policy
Control ID: A.14.2.1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical supply-chain vulnerability React2Shell affects React frameworks enabling remote code execution, requiring immediate patching and zero trust segmentation implementation.
Internet
Maximum-severity CVE-2025-55182 impacts internet infrastructure's first layer with 8.1 million exploit attempts, demanding enhanced egress security and threat detection.
Information Technology/IT
React2Shell exploits Next.js dependencies creating widespread RCE exposure requiring multicloud visibility, kubernetes security, and inline IPS protection measures.
Computer/Network Security
Coordinated industry response to React2Shell demonstrates need for automated threat detection, cloud-native security fabric, and improved vulnerability coordination frameworks.
Sources
- Inside Vercel’s sleep-deprived race to contain React2Shellhttps://cyberscoop.com/vercel-cto-security-react2shell-vulnerability/Verified
- Critical Security Vulnerability in React Server Componentshttps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-componentsVerified
- React2Shell Security Bulletinhttps://vercel.com/kb/bulletin/react2shell/Verified
- Denial of Service and Source Code Exposure in React Server Componentshttps://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-componentsVerified
- Security Bulletin: CVE-2025-55184 and CVE-2025-55183https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183/Verified
- NVD - CVE-2025-55182https://nvd.nist.gov/vuln/detail/CVE-2025-55182Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, advanced egress controls, inline threat detection, and workload/workload isolation would have prevented or detected exploitation activities, limited attacker movement, and substantially reduced the blast radius of React2Shell exploitation.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: CNSF provides inline distributed enforcement, reducing exposure of exploitable surfaces.
Control: Zero Trust Segmentation
Mitigation: Limits adversary access by restricting workload and service permissions.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized lateral movement attempts.
Control: Egress Security & Policy Enforcement
Mitigation: Identifies and blocks suspicious outbound connections to attacker infrastructure.
Control: Cloud Firewall (ACF) with Encrypted Traffic (HPE)
Mitigation: Prevents or alerts on data exfiltration attempts over both encrypted and unencrypted channels.
Enables early detection of malicious actions and rapid response to limit damage.
Impact at a Glance
Affected Business Functions
- Web Application Hosting
- E-commerce Platforms
- Content Management Systems
Estimated downtime: 14 days
Estimated loss: $5,000,000
Potential exposure of sensitive source code and user data due to unauthorized access and code execution.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce workload isolation and microsegmentation to minimize lateral movement risk in cloud environments.
- • Deploy and maintain continuous inline threat detection and anomaly response for all critical application and API endpoints.
- • Apply strong egress controls and FQDN filtering to block unauthorized outbound traffic and data exfiltration.
- • Ensure comprehensive east-west traffic visibility and enforce least privilege policies across services and namespaces.
- • Regularly update cloud-native workload protections and rapidly patch vulnerable frameworks and dependencies.
