React2Shell (CVE-2025-55182) is a critical remote code execution (RCE) vulnerability found in the React Server Components (RSC) Flight protocol, impacting the React 19 ecosystem and frameworks that rely on it, such as Next.js. The potential for widespread exploitation and critical system compromise places it in the same category as Log4Shell, making it one of the most serious security threats in the React ecosystem.
Following this, two additional vulnerabilities were recently disclosed: a high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183). These further highlight the ongoing security challenges in the React ecosystem, underscoring the need for immediate remediation and vigilance.
React uses the Flight protocol to serialize and manage data as it moves between the client and server. In this system, the data is broken into chunks, each of which may reference other chunks. These interdependent references are central to the protocol, as they allow complex data structures to be shared efficiently between the client and server. However, the process of resolving these references is not as straightforward as it seems and this is where the vulnerability comes into play.
The problem occurs when React resolves these references. The system does not always validate whether a reference points to a valid or safe object. By manipulating the reference resolution process, an attacker can gain access to sensitive internal objects. One such object is JavaScript's Function constructor, which can be used to execute arbitrary code.
But the exploit doesn’t end there. The Flight protocol does not just pass chunks of data, it also treats them like promises. This means that when a chunk is resolved, it behaves like a promise being awaited, triggering the chunk’s .then() method. Here’s where things get particularly dangerous: an attacker can overwrite the .then() method of a chunk, making it point directly to the Function constructor. In essence, they replace the standard promise-handling logic with a call to Function.
Now, imagine this: when React processes the chunk and attempts to resolve it (effectively waiting on the promise), it doesn’t run the normal logic. Instead, it triggers the attacker’s code. The system ends up running whatever JavaScript the attacker has provided, leading to remote code execution.
For a more detailed explanation, I highly recommend checking out this YouTube video and this PoC writeup.
In order to fix the disclosed vulnerabilities, please refer to React's blog posts for CVE-2025-55182 and CVE-2025-55184 / CVE-2025-55183, as well as Next.js' security advisory for CVE-2025-66478 and CVE-2025-55184 / CVE-2025-55183. The main steps to mitigate the issues are to upgrade react and next packages to the latest patched version in their release line, rotate all the secrets and redeploy your application.
Since I’m using Next.js with the app router, I was pretty certain I was affected, so I upgraded all the affected packages and rotated my application secrets. Wanting to be extra cautious, I decided to take things a step further and delete all resources in the production namespace. I then rebuilt the environment from my backups to make absolutely sure everything was secure.
The process took quite a bit of time, particularly since I had to figure out how to restore a new database from a backup. It was a solid learning experience, and I’m happy I took the time to make sure everything was set up properly and secure.