virus logo Threat Signal Report

React2Shell Remote Code Execution (RCE) Vulnerability

What is the Vulnerability?

React2Shell is a critical unauthenticated RCE vulnerability impacting React Server Components (RSC) and frameworks that implement the Flight protocol, including affected versions of Next.js. A remote attacker can send a specially crafted RSC request that triggers server-side deserialization and arbitrary code execution with no user interaction required.

Exploitation enables full server takeover, installation of backdoors, credential harvesting, and lateral movement. Given the widespread adoption of React/Next.js in production environments, organizations should patch immediately, enforce WAF restrictions on RSC endpoints, and conduct proactive hunts for suspicious Node.js process spawning, abnormal RSC requests, or unexpected outbound connections.

Some publicly circulating proofs-of-concept (PoCs) appear incomplete or misleading, and should be treated cautiously until validated.

CISA has added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation on 5 December 2025.

AWS Security has identified exploitation activity originating from IP addresses and infrastructure historically associated with known China state-nexus threat actors. China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182) | AWS Security Blog

What is the recommended Mitigation?

  • React Server-Side Flight Libraries:
    react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (specific vulnerable versions are outlined in the vendor advisories).

  • Frameworks Implementing RSC/Flight:
    Frameworks such as Next.js (notably certain versions within the 15–16 range) and other ecosystem frameworks that embed React Server Components (RSC) or Flight functionality.

  • Organizations should review the vendor advisories for complete version details, mitigation steps, and updated guidance.

What FortiGuard Coverage is available?

  • FortiGuard Web Application Security, delivered through the FortiWeb (Web Application Firewall (WAF) & API Protection), protects web applications by detecting and blocking exploit attempts targeting vulnerable web servers and application components.
    https://www.fortiguard.com/encyclopedia/fwb/1090502460
    https://www.fortiguard.com/encyclopedia/fwb/1090502462

  • FortiAnalyzer, FortiSIEM, and FortiSOAR integrate known Indicators of Compromise (IoCs) via the IoC Service, enabling advanced threat hunting, automated correlation, and rapid incident response. FortiGuard Labs continuously monitors for newly emerging IoCs, ensuring proactive protection against evolving threat activity.

  • Lacework FortiCNAPP Cloud Team is actively assessing the impact of the React2Shell vulnerabilities across cloud workloads and has published a supporting Knowledge Base (KB) article as part of their ongoing response. How does Lacework FortiCNAPP Protect from... - Fortinet Community

  • Lacework FortiCNAPP automatically identifies vulnerable packages within customer environments through its Vulnerability Management and Code Security components.

  • Organizations that suspect potential compromise are encouraged to contact the FortiGuard Incident Response team for rapid investigation and remediation support.

description-logoOutbreak Alert

React2Shell is a critical unauthenticated remote code execution (RCE) vulnerability affecting React Server Components (RSC) and frameworks that implement the Flight protocol, including specific vulnerable versions of Next.js. A remote attacker can craft a malicious RSC request that triggers server-side deserialization, leading to arbitrary code execution without authentication or user interaction.

View the full Outbreak Alert Report

This report provides an overview of ongoing Iran-linked cyber operations, highlighting activity attributed to state-aligned proxies and hacktivist groups. The vulnerabilities listed are suspected to be exploited by actors associated with Iran in real-world campaigns, consistent with observed tactics, techniques, and procedures (TTPs). Iran-linked operations continue to rely on distributed, lower-complexity techniques, including phishing, DDoS, data exfiltration, and destructive attacks. Initial access is primarily achieved through exploitation of known, unpatched vulnerabilities and exposed edge infrastructure, reflecting a persistent and opportunistic threat posture targeting government, critical infrastructure, and enterprise environments.

View the full Outbreak Alert Report

Additional Resources

React Blog
Google Cloud Guidance
Next.js Advisory
FortiCNAPP Guidance KB
China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182) | AWS Security Blog


Released Date Dec 05, 2025
Tags React2Shell RCE Iran-linked Cyber Attacks Threat Signal Vulnerability
CVE ID

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert
About FortiGuard Threat Signal

Learn More »