Critical RSC vulnerability in React and Next.js exposes servers to remote code execution

On December 3, the React Foundation issued an urgent advisory about a critical vulnerability in React Server Components (RSC), catalogued as CVE‑2025‑55182 and assigned the maximum CVSS severity score of 10. The flaw was reported on November 29 by security researcher Lachlan Davidson and affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of three core packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Exploited, the bug, dubbed “React2Shell”, allows remote attackers to execute arbitrary commands on the server. An initially separate issue in Node.js (CVE‑2025‑66478) was later dismissed by NIST as merely a duplicate of the same underlying mechanism.

Wiz, the firm that investigated the vulnerability, highlighted two factors that drive its critical CVSS rating: the exploit works across all configurations and requires only a specially crafted HTTP request to trigger. The root cause is a logical deserialization error in how RSC processes incoming requests. An unauthenticated attacker can send a malicious HTTP payload to any Server Function endpoint; during React’s deserialization phase, this results in arbitrary JavaScript execution on the backend. The React Foundation has withheld further technical details pending broader patch distribution.

The impact extends to any library built on RSC, including Vite RSC, Parcel RSC, React Router RSC preview, RedwoodJS, and Waku, so developers must monitor for updates. Security firm Endor Labs warned that default framework configurations are instantly exploitable, underscoring the urgency of upgrading to the patched releases (19.0.1, 19.1.2, 19.2.1) for the three affected components. Until those patches can be deployed, applying Web Application Firewall (WAF) rules is strongly recommended.

Major cloud providers have already responded. Cloudflare announced on December 3 that it updated its WAF to shield customers, while Google Cloud Armor, Amazon Web Services (AWS), and other companies issued similar temporary firewall mitigations. All parties stress that these defensive rules are interim measures and that promptly updating the vulnerable React packages remains the definitive solution.