Web development is always evolving, and sometimes those changes are a little under the hood. One such change involved changing Server Components (RSC) to React. If you are a NextJS or React developer, especially using AppRouter, understanding the new security alert is really important to keep your apps safe and secure.
Table of Contents
What is “React 2 Shell”?
Think of your server as receiving data like a mailroom receiving packages.
Normally, a mailroom checks if a package is safe before opening it. But in weaker versions of React and NextJ, the “flight” protocol (used to communicate between server and client) acts like a mailroom that blindly opens each package and immediately executes any instructions inside.
This vulnerability (CVE-2025-55182) allows an attacker to send a specially crafted “package” (HTTP request) that forces your server to execute malicious code—such as stealing passwords or installing a virus or even logging in.
Why is this happening now?
It’s all about how modern frameworks handle data serialization. There are some reasons that were recently discovered.
First, React has complex serialization. To streamline server components, React sends complex data structures back and forth.
Second, it has a “flight” protocol. The vulnerability was found in how this particular protocol deserializes (unpacked) data. It was also relying on the input received from the client.
Should you be concerned about this change?
You need to pay attention if your app qualifies for any of the below:
You are using NextJS AppRouter: This is the default in newer NextJS versions (V13+).
You are using React 19: Versions with server components are specifically enabled.
You use server actions: If your app takes user input and processes it on the server using reactive server actions.
Is it mandatory?
yes This is an important security update. If your app qualifies in any of the above scenarios, you need to act immediately. Because, this vulnerability is being exploited right now.
How bad can it be? Limitation of exploitation
You might be thinking, “My site is just a simple content wrapper, surely I’m not the target?” Unfortunately, with remote code execution (RCE), the attacker doesn’t just “break” your site – they own the server it runs on.
Here’s exactly what a hacker can do once they exploit this vulnerability:
Total theft of the environment
The most immediate danger is yours .env File attackers can execute code to read your environment variables, instantly gaining access to your AWS secret keys, database passwords, Stripe API keys, and openai tokens.
“Shell” access
As the name “React2 Shell” implies, attackers can open a reverse shell. This gives them a command-line interface to your server, allowing them to browse your file system as if they were sitting in front of your computer.
Background movement
Once inside your NodeJS server, they are behind your firewall. Now they can attack your internal services (such as Redis, internal databases, or private microservices) that are normally blocked from the outside world.
Supply Chain Poison
If your build server is vulnerable, an attacker could potentially inject malicious code into your deployment pipeline, affecting every user who visits your site in the future.
Botnet recruitment
Hackers often automate these attacks by using the server’s CPU (which you pay for!) to install crypto-miners, to mine digital currency for them, often crashing your application in the process.
What would change the code for this?
You don’t need to rewrite your application code, but you do need to update your dependencies in your release line.
The vulnerability is fully resolved in the following critical NextJS releases:
15.0.5
15.1.9
15.2.6
15.3.6
15.4.8
15.5.7
16.0.7
Complex Canary releases for NextJS 15 and 16:
These versions include a strict implementation of React Server components.
The complex versions for ReactJS are:
Frameworks and bundlers using the above packages should install the latest versions provided by their respective maintainers.
Alternatively, you can walk npx fix-react2shell-next To launch an interactive tool in your NextJS project that can check the version and perform deterministic versioning snippets according to the version recommended above. See GitHub repository For complete details.
There is nothing else to do except upgrade to a patched version.
It is highly recommended to rotate all your application secrets once you have built your version and redeployed your application.
Advanced: Verify with Original Exploit (POC).
If you want to be 100% sure that your patch is working, or if you want to understand how the attack actually works, you can use the original proof of concept (PoC) created by the security researcher (Lachlin Davidson) who found the bug.
Storage: React2shell-CVE-2025-55182-original-POC
Lachlan provided three variations of the exploit script. Most important for testing 01-submitted-poc.jswhich is the exact, simplified version presented to the meta for Big Bounty.
How Exploitation Works
According to the repository, the attack works by tricking the parser into:
An attacker sends a payload using
$@xTo access a specific dataChunk.That “plant” a
.thenWork on a fake item.The JavaScript runtime thinks it is handling a promise and tries to “unwrap” it.
This allows an attacker to re-enter the parser with a maliciously forged part, giving them access to internal server gadgets (e.g.
_response) to execute the code (RCE).
Steps to reproduce the problem
âš WARNING: Just run it against the local development server (localhost) that you own. Never run it against production servers or public websites.
Note: I’ve fork Lachlan’s repo and made minor changes to make it easier for you to run the script.
Step 1: Clone the repository
Run the following commands to clone the repository, navigate to the project, and install the dependencies:
git clone
cd React2Shell-CVE-2025-55182-original-poc
npm i
Step 2: Run a vulnerable local server
Start your NextJS application locally (make sure it’s running a vulnerable version, for example NextJS 15.0.0 for the test to succeed).
npm run dev
Step 3: Execute the test
You will need to edit the script or use a similar tool curl To send the payload structure found 01-submitted-poc.js on your server endpoint (usually the Server Action endpoint). Or just run the following command if accessible on your app http://localhost:3000:
node 01-submitted-poc.js
If the exploit succeeds (on a vulnerable version), the console code execution (RCE) will log. If the exploit fails (after your patch), the server will either safely reject the request or error.
You can also verify if your affected web servers print 50 In the console because we inject code to perform calculations (see _prefix field in the JSON below) resulting in 50.
After applying the fix, you should see an error when running the script. In this case, as I’m using NextJS v15.1, the fix is ​​upgrading next Package in version 15.1.9. Here are the screenshots after upgrading the package and running the script.
Step 4: Validation
Once you’ve confirmed the exploit works on an older version, update your packages (as shown in the section above) and run the script again. This should no longer trigger code execution.
Emergency response: What if you’ve already been compromised?
If you suspect that your server has been exposed to the Internet with a vulnerable version, assume the worst. A hacker may have stolen your keys or left a “backdoor” to return to later. Patching the code alone is not enough in this case.
Follow it “Nike and Drink” Protocol immediately:
Step 1: Isolation and Shutdown
Take the compromised server offline immediately. Don’t try to “fix” it as you go.
Step 2: Rotate all the secrets (the main step)
Assume every secret in yourself .env The file is in the hands of the hacker. You must create a new:
Change passwords for your database users.
Rotate AWS access keys, Google Cloud Service account keys, etc.
Roll your Stripe/PayPal/RazorPay API keys.
Spin yours
NEXTAUTH_SECRETor any JWT signing keys.
Step 3: Don’t “Clean” – Rebuild
Do not try to find and delete malware files on the server. Hackers are good at hiding.
Terminate an existing container, droplet, or EC2 instance completely.
Create a fresh instance from your source code (after applying the patch).
Step 4: Audit your logs
View your database and cloud provider logs. Did someone download your entire user database? Has someone spun up expensive GPU instances on your AWS account? Check for unusual activity that occurred before you patched.
The result
In this article, you learned about the “React2 Shell” vulnerability, how to verify it using the original developer’s tools, and how to upgrade your app to secure your server components. I hope you have a clear idea about why this update is urgent. By being proactive now, you can avoid a catastrophic data breach.
You can follow me Twitter/X account To receive top AI news daily. If you want to learn more about cybersecurity, Subscribe to my email newsletter And follow me on social media.