AgenceEvana
Back to bulletins
Critical2025-12-05CVSS 9.8CVE-2025-55182 (2025-12-03)reactnext.jsrceserver-componentsweb

React2Shell — Remote Code Execution in React Server Components

A critical vulnerability in React Server Components enables unauthenticated remote code execution. Active exploitation confirmed 3 days after disclosure — Next.js, Expo, and React Router applications are affected.

Context

The French CERT (CERT-FR) issued alert CERTFR-2025-ALE-014 for vulnerability CVE-2025-55182, dubbed React2Shell. It is a critical flaw enabling unauthenticated remote code execution (RCE) in React Server Components (RSC) and React Server Functions.

Applications may be vulnerable even without explicitly using RSC, if the underlying framework enables these functions by default.

Timeline

  • December 3, 2025 — Initial disclosure by the React team
  • December 5, 2025 — Public proof-of-concept (PoC) released
  • December 8, 2025Active exploitation confirmed
  • December 11, 2025 — Widespread exploitation observed; any server exposed after the PoC release should be considered potentially compromised
  • February 12, 2026 — CERT-FR alert closed (threat persists for unpatched systems)

Affected Products and Versions

React (server packages)

  • react-server-dom-webpack / parcel / turbopack
    • 19.0.x < 19.0.1
    • 19.1.x < 19.1.2
    • 19.2.x < 19.2.1

Next.js

  • 14.x (canary versions)
  • 15.0.x < 15.0.5
  • 15.1.x < 15.1.9
  • 15.2.x < 15.2.6
  • 15.3.x < 15.3.6
  • 15.4.x < 15.4.8
  • 15.5.x < 15.5.7
  • 16.0.x < 16.0.7

Other Affected Frameworks

  • Expo (unpatched versions)
  • React Router with RSC support
  • Redwood SDK < 1.0.0-alpha.0
  • Vitejs plugin-rsc
  • Waku (unpatched versions)

Attack Vector

The vulnerability lies in the serialization mechanism of Server Components and Server Functions. An attacker can send a specially crafted HTTP request to inject and execute arbitrary code server-side, without any authentication.

Exploitation is trivial: a single HTTP request is sufficient.

Impact

  • Arbitrary code execution on the server with application-level privileges
  • Access to environment variables, databases, API keys, and application secrets
  • PeerBlight backdoor identified in exploitation campaigns (persistent Linux backdoor)
  • Any server exposed after December 5, 2025 without the patch should be considered compromised

Indicators of Compromise

Analyses by Wiz and Huntress reference the PeerBlight backdoor — a persistent Linux implant deployed post-exploitation. Consult their technical reports for detailed IOCs.

Remediation

  1. Update immediately to the patched versions listed above (React, Next.js, Expo, etc.).
  2. Audit servers exposed between December 5, 2025 and the patch date — consider them potentially compromised.
  3. WAF rules provide partial protection but are not a substitute for patching.
  4. Rotate secrets (environment variables, API keys, tokens) accessible from affected servers.
  5. Search for the PeerBlight backdoor on exposed Linux systems.

References

  • CERTFR-2025-ALE-014 — CERT-FR Alert
  • React Security Blog (December 3, 2025)
  • Vercel / Next.js Changelog