Web Application Security090502460 - CVE-2025-55182.React.CVE-2025-66478.Next.js
Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Outbreak Alert
React2Shell is a critical unauthenticated remote code execution (RCE) vulnerability affecting React Server Components (RSC) and frameworks that implement the Flight protocol, including specific vulnerable versions of Next.js. A remote attacker can craft a malicious RSC request that triggers server-side deserialization, leading to arbitrary code execution without authentication or user interaction.
Affected Products
React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
Impact
System Compromise: Remote attackers can gain control of vulnerable systems.
Recommended Actions
Apply the most recent upgrade or patch from the vendor.
Version Updates
| Date | Version | Status | Detail |
|---|---|---|---|
| 2025-12-04 | 0.00415 |
New
|
| ID | 1090502460 |
| Created | Dec 02, 2025 |
| Updated | Dec 02, 2025 |
| CVE ID | |
| Tags | React2Shell RCE Threat Signal |
| Risk |
|
| Default Action | pass |
| Active | |
| Affected OS | All |
| Affected App | React Server and Node.js |
| Engine Version | 5.0.0 or later |