Home Blog React2Shell: A Critical RCE Vulnerability in React and Next.js Now Impacting High-Value...

React2Shell: A Critical RCE Vulnerability in React and Next.js Now Impacting High-Value Web3 Infrastructure

By
Safe Edges
-

 

On December 3, 2025, the JavaScript ecosystem disclosed one of the most severe vulnerabilities in its history: CVE-2025–55182, widely referred to as React2Shell.
Rated with a maximum CVSS score of 10.0, this flaw enables unauthenticated Remote Code Execution (RCE) through React Server Components (RSC), placing both Web2 and Web3 platforms at significant risk.

This is not an edge-case bug. This affects default Next.js applications created using create-next-app without any developer modifications.

Why This Matters for Web3 Infrastructure

A significant portion of Web3’s operational surface area is built using React and Next.js, including:

  • Validator and sequencer dashboards
  • Custodial management interfaces
  • Admin UIs for DeFi platforms
  • RPC and indexing service dashboards
  • Cross-chain bridge operator consoles
  • Exchange and wallet management portals
  • NFT marketplace administrative layers
  • Oracle dashboards and aggregator systems

These systems often run in cloud environments and interact with sensitive internal APIs, privileged backend services, and private signing modules.

React2Shell provides attackers with the ability to execute arbitrary server-side JavaScript, which can lead to:

  • Extraction of environment variables (RPC keys, signing endpoints, custodial secrets)
  • Compromise of server-side logic that interacts with blockchain nodes
  • Unauthorized modification of build pipelines or deployment artifacts
  • Injection of malicious responses into RSC SSR outputs
  • Pivoting deeper inside the cloud environment, including Kubernetes clusters or IAM roles

This is the exact category of vulnerability that has historically led to large-scale Web3 compromises.

What Is React2Shell?

React2Shell is an unsafe deserialization vulnerability affecting the Flight Protocol, the internal serialization format used by React Server Components to transmit data between the server and the client.

Improper validation of incoming serialized payloads allows an attacker to supply specially crafted data that escapes the expected structure and alters server-side execution logic. When this occurs, attacker-controlled JavaScript code can execute within the server environment.

The vulnerability exists even if developers do not use any advanced experimental features. The standard scaffolding provided by create-next-app is impacted.

Primary CVEs

  • CVE-2025–55182: Unsafe deserialization in React Server Components
  • CVE-2025–66478: Next.js-specific exploit path enabling RCE through RSC

Affected Packages

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Affected Frameworks

  • Next.js (App Router)
  • React Router with RSC support
  • Waku
  • rwsdk
  • Parcel RSC
  • Vite RSC plugin

Affected Versions

React Server Components

Affected Version Patched Version 19.0.0 19.0.1 19.1.0, 19.1.1 19.1.2 19.2.0 19.2.1

Next.js

Affected Version Patched Version 15.0.x 15.0.5 15.1.x 15.1.9 15.2.x 15.2.6 15.3.x 15.3.6 15.4.x 15.4.8 15.5.x 15.5.7 16.0.x 16.0.7

Canary Versions

  • Next.js 14 canary versions after 14.3.0-canary.76 are vulnerable
    Downgrade to 14.3.0-canary.76
  • Next.js 15 canary versions before 15.6.0-canary.58 are vulnerable
    Upgrade to 15.6.0-canary.58
  • Next.js 16 canary versions before 16.1.0-canary.12 are vulnerable
    Upgrade to 16.1.0-canary.12

Active Exploitation Status

Multiple threat intelligence teams, including AWS and Wiz, have confirmed active exploitation attempts within hours of public disclosure.
Observed activity includes campaigns from

  • Earth Lamia (China-nexus)
  • Jackpot Panda (China-nexus)

Key findings

  • Approximately 39 percent of cloud environments host vulnerable versions of React or Next.js.
  • Over 968,000 publicly accessible servers were identified as potentially vulnerable.
  • Successful compromises have been confirmed as of December 5, 2025.

Given that nearly all modern Web3 dashboards, bridge operator tools, validator frontends, and exchange admin systems heavily rely on Next.js or RSC, this vulnerability creates a large and high-impact attack surface for adversaries.

Immediate Mitigation Steps

1. Verify your version

In browser console:

next.version

Or via package.json:

cat package.json | grep next

2. Use Vercel’s Automated Patch Tool

npx fix-react2shell-next

3. Manual Update

Examples:

npm install next@15.5.7
npm install next@16.0.7
npm install react@19.2.1 react-dom@19.2.1

4. Redeploy

A redeployment is required.
Restarting the server alone is not sufficient because the vulnerability exists inside build-time and runtime RSC serialization paths.

5. Log and Telemetry Review

Check for

  • Unusual POST payloads
  • Unexpected errors in RSC hydration
  • Spikes in server-side rendering execution time
  • Serialized data structures that do not match expected formats

Determining Whether You Are Affected

You are affected if

  • You use Next.js App Router (versions 15.0.0 through 16.0.6)
  • You use React Server Components in any affected version
  • Your application uses server-side component rendering

You are not affected if

  • You use client-side React only
  • You use the Pages Router exclusively
  • You do not use any RSC-capable build tools
  • You are on stable Next.js 14.x without Canary builds

WAF Mitigation Is Insufficient

Although major cloud providers and CDNs have deployed WAF rules to detect known exploit payloads, these rules only block signatures of existing attack variants.
Due to the nature of deserialization attacks, payloads can be mutated in numerous ways to bypass WAF filtering.

A WAF provides partial mitigation.
Upgrading to patched versions provides full mitigation.

Vercel has additionally blocked new deployments that target vulnerable Next.js versions.

Conclusion

React2Shell represents one of the most impactful vulnerabilities ever discovered in the React and Next.js ecosystem. Its characteristics include

  • CVSS 10.0 severity
  • Unauthenticated remote code execution
  • Active exploitation by state-sponsored groups
  • Millions of applications affected
  • Direct relevance to high-value Web3 operational systems

Given the dependency of Web3 dashboards, validator infrastructure, and administrative tooling on Next.js and React, this vulnerability has the potential to be used as an entry point for major compromise events if left unpatched.

Immediate action is required

  1. Validate your current versions
  2. Upgrade React and Next.js
  3. Redeploy your applications
  4. Conduct log analysis for suspicious RSC activity
  5. Patches are available and straightforward to apply.

Support

Safe Edges provides:

  • Rapid emergency security assessments
  • Patch deployment and CI/CD hardening
  • Infrastructure compromise analysis
  • Web3 security posture audits

If assistance is required to determine exposure or to apply patches safely, our team can help.

LEAVE A REPLY

Please enter your comment!
Please enter your name here