← 블로그로 돌아가기

React2Shell (CVE-2025-55182): How to Protect Your Next.js App from Critical RCE

2026. 2. 17.
## A CVSS 10.0 Vulnerability Threatening 2.15M+ Sites On December 3, 2025, the most severe security vulnerability in React's history was publicly disclosed. Dubbed **React2Shell (CVE-2025-55182)**, this flaw received the maximum CVSS score of 10.0 and enables **unauthenticated remote code execution (RCE)** through an unsafe deserialization bug in the React Server Components Flight protocol. Within hours, nation-state threat actors began active exploitation. Cloudflare observed **582.10 million attack attempts** in just eight days following disclosure. Every Next.js application using the App Router is in the blast radius, and default configurations are exploitable without any developer code changes — drawing immediate comparisons to Log4Shell. ## Understanding the Attack Surface: React's Flight Protocol React Server Components (RSC) introduced a fundamentally new architecture where components render on the server and stream results to the client. The **Flight protocol** handles the serialization and deserialization of data exchanged between server and client. It is precisely this deserialization layer where the critical flaw resides. The root cause is that React's Flight protocol **did not perform proper type checking** on incoming serialized data. An attacker can exploit this by chaining internal gadgets to create a Promise-like object with an attacker-controlled `.then` property. During deserialization, these Promise-like objects are automatically resolved, triggering arbitrary JavaScript execution on the server. In practical terms, an unauthenticated remote attacker can send a **single crafted HTTP request** to any Server Function endpoint. When deserialized by React, the payload loads Node.js's `child_process` module and executes arbitrary system commands. Testing showed **near-100% exploit reliability** against default configurations — no special setup or developer mistakes required. ## Affected Versions and Scope The reach of React2Shell extends across the entire RSC ecosystem. **React packages:** - `react-server-dom-webpack`: 19.0.0 - `react-server-dom-parcel`: 19.0.0, 19.1.0–19.1.1, 19.2.0 - `react-server-dom-turbopack`: affected 19.x versions **Next.js:** - 15.0.0 through 15.5.6 - 16.0.0 through 16.0.6 - 14.3.0-canary.77 and later canary releases **Other frameworks:** Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku are all affected. Critically, projects scaffolded with `create-next-app` using recommended defaults ship with App Router enabled, meaning they are **vulnerable out of the box** without any additional configuration. ## Active Exploitation: Nation-State Threat Actors Move Fast The severity of React2Shell became painfully clear in the hours following disclosure. According to the [AWS Security Blog](https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/), China-nexus threat groups **Earth Lamia** and **Jackpot Panda** began exploitation within hours of the public announcement. By December 12, [Google's Threat Intelligence Group (GTIG)](https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182) had identified multiple additional China-nexus threat clusters. **UNC6595** deployed the ANGRYREBEL.LINUX malware. **UNC6600** delivered the MINOCAT tunneler. **UNC6603** deployed an updated version of the HISONIC backdoor — a Go-based implant that uses legitimate cloud services like Cloudflare Pages and GitLab to retrieve encrypted configurations. [Cloudflare's threat brief](https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/) provides staggering scale metrics. Across December 3–11, they recorded **582.10 million hits**, averaging **3.49 million requests per hour** with a peak of **12.72 million in a single hour**. An average of 3,598 unique IPs and up to 6,387 unique User-Agents per hour were observed, indicating attackers used diverse tooling including Nuclei scanners, custom React2ShellScanner variants, Burp Suite, and python-requests libraries. Targets included a national authority responsible for uranium and nuclear fuel trade, government websites, academic institutions, and SSL VPN appliances. Attack traffic concentrated on the Asia-Pacific region, specifically targeting AWS and Alibaba Cloud instances. Notably, attackers **excluded Chinese IP space** from their scanning, suggesting deliberate operational targeting parameters. ## Patching Guide: Version-by-Version Upgrade Instructions The only definitive remediation is **immediate patching**. Here are the exact commands for each scenario. ### Next.js Applications ```bash # Next.js 15.x users (upgrade to nearest patched minor) npm install next@15.5.7 react@latest react-dom@latest # Next.js 16.x users npm install next@16.0.7 react@latest react-dom@latest # Next.js 14.x canary users — downgrade to stable npm install next@14.2.35 # TypeScript users must also update types npm install @types/react@latest @types/react-dom@latest ``` Patched Next.js versions include: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. ### Direct React Package Usage ```bash # react-server-dom-webpack npm install react-server-dom-webpack@19.0.1 # react-server-dom-parcel (use version matching your React minor) npm install react-server-dom-parcel@19.2.1 ``` Patched React versions: 19.0.1, 19.1.2, and 19.2.1. ### Don't Forget the Follow-Up CVEs After CVE-2025-55182 was patched, three additional vulnerabilities were discovered in the RSC protocol: **CVE-2025-55183** (server function source code exposure), **CVE-2025-55184** (DoS via cyclic Promise references), and **CVE-2025-67779**. These require upgrading to React 19.0.3, 19.1.4, or 19.2.3. The [React security blog post from December 11](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) provides full details. ## Detection and Defense: A Layered Approach While patching is the top priority, organizations that cannot immediately upgrade need layered defenses. ### WAF Rules from Major Cloud Providers All major providers have deployed managed WAF rules: - **AWS WAF**: `AWSManagedRulesKnownBadInputsRuleSet` version 1.24+ provides automatic protection - **Google Cloud Armor**: Dedicated detection and blocking rules for CVE-2025-55182 - **Cloudflare**: Six protective rules across free and paid tiers, all defaulting to Block action - **[Vercel](https://vercel.com/changelog/cve-2025-55182)**: Automatic WAF protection for hosted projects — but explicitly warns "do not rely on the WAF for full protection" ### Monitoring for Exploitation Attempts Watch your logs for these indicators: ``` # Suspicious User-Agent strings Nuclei - CVE-2025-55182 React2ShellScanner/1.0.0 # Request headers indicating targeting POST requests containing "next-action" or "rsc-action-id" headers # Payload patterns characteristic of the exploit :constructor:constructor (deserialization chain signature) "status":"resolved_model" $@ serialization marker "_prefix", "_formData", internal field references ``` A sudden spike in HTTP 403 responses indicates your WAF is actively blocking exploitation attempts. ### Vulnerability Scanning The open-source **react2shell-scanner** from Assetnote can verify whether your applications are vulnerable. It sends a crafted multipart POST request that triggers a specific error condition — vulnerable hosts return a 500 status code with `E{"digest"` in the response body. ### Temporary Mitigation If immediate patching is impossible: applications not heavily using App Router functionality can **migrate to the Pages Router** as a temporary measure. Additionally, search your codebase for the `'use server'` directive to identify all Server Function endpoints and restrict access to them at the network level. ## Long-Term RSC Security Practices React2Shell has fundamentally changed how the industry thinks about RSC security. The [React team's official security advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) and the [Next.js security guide](https://nextjs.org/blog/security-nextjs-server-components-actions) both emphasize treating Flight protocol endpoints as a critical attack surface. Developers must verify that database packages and environment variables are not imported outside a Data Access Layer. Server Components run in a separate module system from Client Components specifically to prevent information leakage, but this isolation only works when developers respect the boundaries. Automated dependency update tools like Dependabot or Renovate should be configured to fast-track security patches, and all internet-facing RSC endpoints should be inventoried and monitored continuously. ## Act Now React2Shell is among the most critical web ecosystem vulnerabilities since Log4Shell. If you're running Next.js 15.x or 16.x, **upgrade immediately** to the latest patched version. Deploy WAF rules but don't treat them as a substitute for patching. Verify that follow-up CVEs (55183, 55184, 67779) are also addressed. Inventory every internet-facing RSC endpoint in your infrastructure. As Cloudflare emphasized in their threat brief: "network-level protection is not a substitute for remediation at the source." Sources: - [AWS Security Blog: China-nexus threat groups exploit React2Shell](https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/) - [Google Cloud Blog: Multiple Threat Actors Exploit React2Shell](https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182) - [Cloudflare Threat Brief: React2Shell exploitation](https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/) - [Wiz Blog: Critical Vulnerability in React](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182) - [React Official Advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) - [Vercel CVE-2025-55182 Summary](https://vercel.com/changelog/cve-2025-55182) - [JFrog Detection & Mitigation Guide](https://jfrog.com/blog/2025-55182-and-2025-66478-react2shell-all-you-need-to-know/) - [Averlon: React2Shell Explained](https://www.averlon.ai/blog/react2shell-cve-2025-55182-explained)