CVE-2025-55182 React Server Components Remote Code Execution Vulnerability Analysis

In this article, I walk through a proof of concept I built for React2Shell, tracked as CVE-2025-55182. This vulnerability enables pre-authentication remote code execution against React Server Components (RSC) and Next.js applications.

This is not a theoretical issue. It is a CVSS 10.0 vulnerability that allows arbitrary JavaScript execution on the server.

The full PoC is available here: 👉 https://github.com/kOaDT/poc-cve-2025-55182

This write-up explains how the vulnerability works, why it exists, and how the exploit chain leads from a crafted HTTP request to full server-side code execution.

What Is CVE-2025-55182 (React2Shell)?

CVE-2025-55182, also referred to as React2Shell, is an unsafe deserialization vulnerability in React Server Components’ Flight protocol.

It affects the following packages and versions:

• React Server Components 19.0.0 – 19.2.0
• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Any framework embedding RSC is impacted. That includes Next.js applications using the App Router.

The vulnerability is exploitable without authentication and results in remote code execution on the Node.js server.

Why React Server Components Are a High-Value Target

React Server Components fundamentally change how React apps work:

• Components are serialized on the server
• Data is streamed to the client using the Flight protocol
• The server dynamically resolves module references during deserialization

That last point is critical.

Unlike traditional REST or JSON APIs, RSC deserializes executable references, not just data. If that deserialization logic is flawed, the attack surface becomes massive.

This vulnerability proves exactly that.

Root Cause: Unsafe Property Access in Flight Deserialization

At the heart of React2Shell is a dangerous assumption in the RSC deserializer.

During Flight payload processing, React resolves module exports using code patterns equivalent to:

moduleExports[metadata[2]]

This uses bracket notation on attacker-controlled input.

In JavaScript, bracket notation does not stop at “own properties”. It traverses the entire prototype chain.

That means an attacker can reference properties like:

• __proto__
• constructor
• constructor.constructor

Once you reach constructor.constructor, you reach the global Function constructor.

At that point, arbitrary JavaScript execution becomes possible.

This is not a classic prototype pollution bug. It is worse: prototype traversal during deserialization of executable references.

Proof of Concept Overview

My PoC demonstrates a real-world impact: reading server-side environment variables.

Vulnerable Setup

I used a vulnerable Next.js version with React Server Components enabled and added a .env.local file:

SECRET_API_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

This simulates a common production scenario.

Exploitation via a Single HTTP Request

The exploit requires one POST request to /.

No cookies. No authentication. No user interaction.

The payload is sent as multipart/form-data, mimicking a legitimate RSC request.

At a high level, the payload:

• Injects a fake chunk object
• Pollutes the prototype chain
• Forces React to resolve constructor.constructor
• Executes a Node.js command using child_process.execSync

The executed command is:

process.mainModule
  .require('child_process')
  .execSync('cat .env.local')
  .toString()

The output is exfiltrated by embedding it into a Next.js error digest.

Why This Exploit Is So Dangerous

This vulnerability enables:

• Arbitrary command execution
• Reading environment variables
• Accessing configuration files
• Reverse shells
• Full server compromise

Anything the Node.js process can do, the attacker can do.

Affected Attack Surface

Any application using:

• React Server Components
• Next.js App Router
• Streaming RSC responses

…is part of the attack surface.

This is especially dangerous because many developers are unaware that RSC introduces a binary-like protocol with deserialization logic similar to unsafe object parsers.

Mitigation and Remediation

If you are running an affected version:

1. Upgrade React immediately
2. Patch all RSC-related packages
3. Monitor for unexpected POST requests to /
4. Rotate secrets if exposure is suspected

Refer to the official advisories for fixed versions:

• React Security Advisory https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

• Facebook Security Advisory https://www.facebook.com/security/advisories/cve-2025-55182

Resources and Further Reading

PoC Repository

[CVE Details](https://www.cyberhub.blog/cves/CVE-2025-55182)

[CISA Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182)

TryHackMe React2Shell Room

[Related RSC RCE Research](https://github.com/Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478)

Final Notes

This proof of concept is strictly for education and defensive security research. Do not test this vulnerability against systems you do not own or have explicit permission to audit.

React2Shell will likely be remembered as one of the most impactful vulnerabilities in modern frontend infrastructure.

And it probably won’t be the last.