Critical vulnerability in React JS framework has a near 100% chance to be exploited

[Alfonso Maruccia]

Facepalm: A widely used web technology is affected by a serious security vulnerability that can be exploited with minimal effort to compromise servers. Known as "React2Shell," the flaw may require extensive patching by numerous organizations, both on the public internet and across cloud environments.

Researchers have uncovered a critical security flaw that could have catastrophic consequences for web and private cloud infrastructure. The vulnerability affects the React framework and represents a rare "perfect" issue – easy to exploit and capable of causing serious damage to web servers.

React is an open-source JavaScript library designed to simplify the development of user interfaces. Maintained by Meta and the open-source community, the framework supports both single-page and server-rendered applications. Its performance benefits come from its ability to selectively re-render only the parts of a page that have changed.

React powers an estimated six percent of all existing websites and is present in 39 percent of cloud environments. The technology also underpins many popular third-party components and frameworks, including Next.js. The vulnerability in React is tracked as CVE-2025-55182, while the related Next.js issue is tracked as CVE-2025-66478.

According to researchers at Wiz, the critical vulnerability affects default Next.js and React configurations and can be exploited with minimal effort. The root cause is the "Flight" protocol used in React Server Components (RSC). An insecure deserialization flaw in RSC allows attackers to trigger server-side execution of a remotely controlled malicious payload.

Exploitation is alarmingly simple: attackers only need to send a single, specially crafted HTTP request to a vulnerable server. Wiz analysts have already developed a working proof-of-concept exploit, although they have not yet released the full details. In internal testing, attempts to exploit React2Shell demonstrated near-perfect reliability.

The attack vector is completely remote and requires no authentication, Wiz said. Even worse, many cloud environments expose publicly accessible Next.js instances that may be vulnerable to this RSC flaw.

React developers have released an updated version of the framework that includes safer validation and deserialization routines to mitigate React2Shell-style attacks. Framework maintainers, hosting platforms, and cloud providers are being urged to update immediately – failing to do so will make attackers' jobs significantly easier and put users at risk. Google has stated that the OS images used in its Compute Engine cloud service are not vulnerable by default.

Permalink to story:

Critical vulnerability in React JS framework has a near 100% chance to be exploited

 

[bviktor]

Cool, this article only misses the most important part: how do I check if I'm vulnerable?

 

[bviktor]

Apparently something like this inserted into your webpage *might* do, but I'm not sure, it may be a false negative so handle with care:

console.log({
NextJSVersion: window.next?.version,
pageProps: window.__NEXT_DATA__?.props?.pageProps
})
console.log(React.version);

 

[Plutoisaplanet]

React Server Components are relatively new and used by a fraction of the websites that use React. React is primarily a frontend library. Server Components were officially released last year with React 19 whereas before they were in development in separate react-server libraries: https://react.dev/blog/2024/12/05/react-19

That said Next.js is built on top of React and designed to be the best way to use Server Components. Thus v15 (released last year) is affected by this bug. Besides that, the vast majority of websites serve static JSX or don't use Server Components when they use React, and they use other web technologies for server-sided functionality.

 

[Plutoisaplanet]

Apparently something like this inserted into your webpage *might* do, but I'm not sure, it may be a false negative so handle with care:

All that does is report a version number. For example, Next.js v13.5.6 is bundled with https://store.techspot.com/

 

[Plutoisaplanet]

Cool, this article only misses the most important part: how do I check if I'm vulnerable?

I wrote this and it'll do a simple version check of Next.js based on what they posted on their blog:

(()=>{
    if(!window?.next?.version) {return false}
    let [ver, sub] = next.version.split('-');
    let [mj, mn, pa] = ver.split('.').map(e=>Number(e));
    let fx = {16:{0:7},15:{0:5,1:9,2:6,3:6,4:8,5:7}}; // Earliest fixed patch versions
    return fx[mj]&&fx[mj][mn]>pa
        ? `${next.version}->${mj}.${mn}.${fx[mj][mn]}` // Vulnerable v15/16
        : mj==14&&(mj>3&&sub||mj===3&&sub>='canary.77') ? next.version+'->15.5.7' // Vulnerable v14 canary
        : false; // Safe
})()

For example on this sites, the code indicates upgrades are needed with the following output:

https://www.nico.fyi/ 15.5.6->15.5.7
https://www.heroui.com/ 5.3.1->15.3.6
https://www.next-forge.com/ 16.0.0->16.0.7

That said, Next.js states that only "applications using React Server Components with the App Router" on those versions are affected. Checking for that is a lot harder, but the developer will usually know if they are using it.

 

[bviktor]

I wrote this and it'll do a simple version check of Next.js based on what they posted on their blog:

(()=>{
    if(!window?.next?.version) {return false}
    let [ver, sub] = next.version.split('-');
    let [mj, mn, pa] = ver.split('.').map(e=>Number(e));
    let fx = {16:{0:7},15:{0:5,1:9,2:6,3:6,4:8,5:7}}; // Earliest fixed patch versions
    return fx[mj]&&fx[mj][mn]>pa
        ? `${next.version}->${mj}.${mn}.${fx[mj][mn]}` // Vulnerable v15/16
        : mj==14&&(mj>3&&sub||mj===3&&sub>='canary.77') ? next.version+'->15.5.7' // Vulnerable v14 canary
        : false; // Safe
})()

For example on this sites, the code indicates upgrades are needed with the following output:

That said, Next.js states that only "applications using React Server Components with the App Router" on those versions are affected. Checking for that is a lot harder, but the developer will usually know if they are using it.

That's pretty darn neat, thanks a lot.