A maximum-severity security flaw in React Server Components could enable unauthenticated remote code execution, the React Team said. The vulnerability, tracked as CVE-2025-55182 and codenamed React2shell, has been given a CVSS score of 10.0.
Cloud security firm Wiz described the issue as logical deserialization resulting from unsafe processing of RSC payloads, and the supply-chain company said malformed or adversarial payloads can influence server-side execution via the React Flight protocol. An attacker can reportedly craft an HTTP request to a Server Function endpoint that deserializes into executable JavaScript on the server.
The flaw affected versions 19.0, 19.1.0, 19.1.1 and 19.2.0 of the npm packages react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack and was fixed in versions 19.0.1, 19.1.2 and 19.2.1. New Zealand researcher Lachlan Davidson has been credited with reporting the bug to Meta on Nov. 29, 2025; Meta originally created the library before moving it to the React Foundation in October 2025.
The vulnerability also affects Next.js App Router and was assigned CVE-2025-66478; Vercel noted the issue affects versions >=14.3.0-canary.77, >=15 and >=16 and the project’s GitHub advisory assigned patched releases including 16.0.7 and a range of 15.x fixes. Security firms including Endor Labs, Miggo Security and VulnCheck warned that other libraries bundling RSC may also be affected.
Researchers warned that no special setup is required to exploit the flaw and that it can be triggered without authentication and over HTTP. Defenders have been urged to deploy Web Application Firewall rules, monitor Server Function traffic for malformed requests and consider restricting network access; Cloudflare said it deployed a safeguard for proxied traffic. Wiz reported that about 39% of cloud environments have instances vulnerable to one or both CVEs.
Palo Alto Networks Unit 42 senior manager Justin Moore said the flaw acts like a “master key exploit” by abusing trust in incoming data structures. Users were advised to apply the available fixes promptly.