Modern web applications increasingly rely on frameworks such as React and Next.js to build dynamic user interfaces. While these frameworks provide powerful features for developers, they also introduce new attack surfaces that security professionals must understand.
One of the most critical vulnerabilities discovered in recent years is React2Shell, tracked as CVE-2025-55182. This vulnerability affects React Server Components (RSC) and allows attackers to achieve remote code execution (RCE) on affected servers.
In this post, I will walk through how I identified and exploited this vulnerability during a security assessment.
Understanding React Server Components
React Server Components allow parts of a React application to be rendered directly on the server instead of the client. This improves performance and enables better data handling.
React uses a protocol called React Flight to serialize component data between the server and the browser.
However, the vulnerability arises because the server deserializes data received from HTTP requests without sufficiently validating the structure. Under certain conditions, specially crafted payloads can manipulate the deserialization process and lead to arbitrary code execution
What is CVE-2025-55182 (React2Shell)
CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability in React Server Components. The issue exists due to unsafe deserialization of data within the React Flight protocol.
An attacker can send a malicious HTTP request that manipulates the serialized component payload. When the server processes this payload, arbitrary JavaScript code can be executed.
Because React applications often run on Node.js servers, this can ultimately lead to operating system command execution.
The vulnerability has been assigned a CVSS score of 10.0, the maximum severity rating
Identifying React Server Components
While testing the application, I first verified that React Server Components were being used. The server response contained serialized React component data such as:
"$Sreact.fragment"
This indicator confirms that the application is returning React Flight responses, meaning that the server processes serialized component data.
Crafting a Malicious React Payload
Once the presence of React Server Components was confirmed, the next step was to craft a malicious HTTP request targeting the server’s component deserialization process.
The request sends a specially crafted multipart payload that abuses the React serialization mechanism and invokes the Node.js runtime.
Example HTTP request:
The injected payload executes the following Node.js code:
process.mainModule.require('child_process').execSync('id')
This command forces the server to execute the operating system id command.
Verifying Command Execution
When the malicious payload is successfully processed, the server executes the injected command and returns the output encoded in Base64 within the response header.
An example response header is shown below:.
X-Action-Redirect: /login?a=dWlkPTEwMSBnaWQ9MChyb290KSBncm91cHM9MChyb290KSwxMDEK;push
Decoding the Base64 value reveals the output of the executed command:
uid=101 gid=0(root) groups=0(root),101
This confirms that the injected command was successfully executed on the server. The figure below illustrates the full HTTP request and response demonstrating successful remote command execution.
Accessing Sensitive Files
To further demonstrate the impact, the payload was modified to retrieve the contents of sensitive system files. The following command was executed:
cat /etc/passwd
The server returned the contents of the file, confirming that arbitrary file access is possible through the vulnerability.
Impact
Successful exploitation allows attackers to:
- Execute arbitrary commands on the server
- Access sensitive files
- Modify application data
- Install malware or backdoors
- ivot to internal infrastructure
Because this vulnerability requires no authentication, it represents a severe risk to exposed React Server Component applications.
Mitigation
Developers should immediately take the following actions:
- Upgrade React
Upgrade React and related packages to patched versions:
React 19.0.1
React 19.1.2
React 19.2.1
- Restrict RSC Endpoints
Ensure that React Server Component endpoints are not directly accessible from external clients.
- Validate Incoming Requests
Reject malformed React Flight payloads and enforce strict schema validation.
- Monitor for Exploitation
Monitor logs for suspicious multipart requests or unusual React Flight payload structures.
Final Thoughts
React2Shell highlights an important lesson: modern frameworks introduce new attack surfaces that traditional security testing may miss.
With the increasing adoption of server-side rendering frameworks, understanding the internals of protocols such as React Flight is becoming essential for security professionals.
If your organization runs React Server Components, patching this vulnerability should be treated as an immediate priority.