If you use React or Next.js, you may have seen the name React2Shell (CVE-2025-55182) show up recently. This post breaks down what is going on, why it matters, and what you should do in simple words.
What this vulnerability is about
Modern React uses something called React Server Components. These components rely on a system where data is converted into a simple format before being sent to the server. This process is called serialization. When the server receives that data, it turns it back into real JavaScript objects. That part is called deserialization.
The exchange is handled by the React Flight protocol. The core problem is that the server does not properly validate the incoming data during deserialization. Whatever the client sends is trusted and rebuilt automatically as JavaScript objects.
Why that becomes a problem
Because there are no safety checks, an attacker can carefully shape the data they send. The server then treats that data as if it were legitimate React input. During deserialization, objects are rebuilt with values fully controlled by the attacker.
This gives attackers access to parts of JavaScript that should never be influenced by user input. At that point, the server is no longer just rendering components. It is handling attacker-controlled objects in a very powerful execution environment.
A simplified proof of concept idea
A common exploitation path takes advantage of how JavaScript functions inherit access to the global Function constructor. The Function constructor can take a string and turn it into executable code.
In the proof of concept, the attacker crafts a payload that reaches this constructor during deserialization. When that happens, arbitrary JavaScript code can be created and executed directly on the server. No authentication is required.
How this leads to remote code execution
Once an attacker can run JavaScript on the server, the impact becomes severe. Server-side JavaScript can load system modules, interact with the file system, and execute operating system commands.
This means an attacker could read sensitive files, modify application data, or take full control of the server. Even a simple demo, such as opening a calculator application, is enough to prove that real system commands are being executed.
Why the severity is so high
This vulnerability has a CVSS score of 10.0, which is the highest possible severity. The attack can be performed remotely, requires no authentication, and can be triggered with a single crafted request.
Many developers are exposed without realizing it. React Server Components are often enabled by default in frameworks like Next.js, so applications may be vulnerable even if developers never explicitly opted into this behavior.
What you should do
If your application uses React Server Components, or if you use a framework or build setup that includes vulnerable react-server packages, you should check your dependencies immediately. Upgrade to the patched versions released by the React and framework maintainers.
Do not test proof of concepts from untrusted sources. If you want to experiment, only do so in isolated environments you own or have explicit permission to test.
Resources
- Official React advisory
- Public proof of concept referenced in discussions
- Vercel security bulletin covering related vulnerabilities
Keeping an eye on official advisories is the best way to stay ahead of follow-up issues, as more related vulnerabilities have already been disclosed.
Thanks for reading!