Threat Signal Report

React2Shell Remote Code Execution (RCE) Vulnerability

What is the Vulnerability?

React2Shell is a critical unauthenticated RCE vulnerability impacting React Server Components (RSC) and frameworks that implement the Flight protocol, including affected versions of Next.js. A remote attacker can send a specially crafted RSC request that triggers server-side deserialization and arbitrary code execution with no user interaction required.

Exploitation enables full server takeover, installation of backdoors, credential harvesting, and lateral movement. Given the widespread adoption of React/Next.js in production environments, organizations should patch immediately, enforce WAF restrictions on RSC endpoints, and conduct proactive hunts for suspicious Node.js process spawning, abnormal RSC requests, or unexpected outbound connections.

Some publicly circulating proofs-of-concept (PoCs) appear incomplete or misleading, and should be treated cautiously until validated.

CISA has added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation on 5 December 2025.

AWS Security has identified exploitation activity originating from IP addresses and infrastructure historically associated with known China state-nexus threat actors. China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182) | AWS Security Blog

What is the recommended Mitigation?

React Server-Side Flight Libraries:
react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (specific vulnerable versions are outlined in the vendor advisories).
Frameworks Implementing RSC/Flight:
Frameworks such as Next.js (notably certain versions within the 15–16 range) and other ecosystem frameworks that embed React Server Components (RSC) or Flight functionality.
Organizations should review the vendor advisories for complete version details, mitigation steps, and updated guidance.

What FortiGuard Coverage is available?

FortiGuard Web Application Security, delivered through the FortiWeb (Web Application Firewall (WAF) & API Protection), protects web applications by detecting and blocking exploit attempts targeting vulnerable web servers and application components.
https://www.fortiguard.com/encyclopedia/fwb/1090502460
https://www.fortiguard.com/encyclopedia/fwb/1090502462
FortiAnalyzer, FortiSIEM, and FortiSOAR integrate known Indicators of Compromise (IoCs) via the IoC Service, enabling advanced threat hunting, automated correlation, and rapid incident response. FortiGuard Labs continuously monitors for newly emerging IoCs, ensuring proactive protection against evolving threat activity.
Lacework FortiCNAPP Cloud Team is actively assessing the impact of the React2Shell vulnerabilities across cloud workloads and has published a supporting Knowledge Base (KB) article as part of their ongoing response. How does Lacework FortiCNAPP Protect from... - Fortinet Community
Lacework FortiCNAPP automatically identifies vulnerable packages within customer environments through its Vulnerability Management and Code Security components.
Organizations that suspect potential compromise are encouraged to contact the FortiGuard Incident Response team for rapid investigation and remediation support.

Outbreak Alert

React2Shell is a critical unauthenticated remote code execution (RCE) vulnerability affecting React Server Components (RSC) and frameworks that implement the Flight protocol, including specific vulnerable versions of Next.js. A remote attacker can craft a malicious RSC request that triggers server-side deserialization, leading to arbitrary code execution without authentication or user interaction.

View the full Outbreak Alert Report