React2Shell: Tracking CVE-2025-55182 in React Server Components
Dec 22, 2025
React2Shell (CVE-2025-55182) was disclosed in the React team's December 3, 2025 advisory, affecting React Server Components. The issue allows attacker-controlled payloads to reach shell execution on the server when frameworks pass React Server Component (RSC) stream data into OS-level utilities. For teams tracking multi-platform exposure, treat this as a high-confidence remote code execution risk.
Who is affected
- React applications using Server Components on vulnerable React releases prior to patched builds noted in the official advisory.
- Next.js App Router deployments built on those React versions (self-hosted or managed), including container images that bundle the vulnerable runtime.
- Custom RSC-capable frameworks and SSR services that forward request context into server renderers, especially when shelling out for image processing, logging, PDF rendering, or CLI-based tooling.
What happened (blog summary)
- The React team reports that specially crafted RSC payloads can trigger command execution when serialized server component data reaches shell utilities.
- The attack path is enabled by unsafe handling of untrusted input inside the RSC streaming and hydration pipeline.
- Patched React builds and framework updates were released; the advisory lists fixed versions and mitigations.
Risks and impact
- Remote code execution with the privileges of the React server process.
- Exposure of environment secrets, source code, and potential lateral movement into adjacent services.
- Downtime or supply-chain pollution if attackers sabotage build artifacts or runtime dependencies.
How to respond if you might be vulnerable
- Identify: Inventory services using React Server Components or Next.js App Router. Confirm the React version and match it against the patched releases in the advisory.
- Patch: Upgrade React to the fixed version and redeploy. For Next.js, update to the first patched App Router release that bundles the fixed React runtime.
- Redeploy: Rebuild images/containers and invalidate caches or CDN artifacts that may ship vulnerable bundles.
- Monitor: Review server and container logs for suspicious shell activity or unexpected CLI invocations since the vulnerability window opened.
- Contain: Rotate credentials, access tokens, and secrets that were present on the affected hosts.
Forward-looking hardening
- Keep untrusted input out of shell invocations; prefer library calls over CLI tooling.
- Apply strict content validation and encoding for data entering the RSC pipeline.
- Run server renderers under least-privilege accounts with network egress controls.
- Isolate build and runtime environments; do not share artifacts between trusted and untrusted tenants.
- Add regression tests that simulate hostile RSC payloads to ensure patched behavior persists.