React2Shell: CVE-2025-55182 & CVE-2025-66478 Critical RCE Vulnerabilities in React and Next.js
React2Shell Ongoing Incident Coverage
Two critical vulnerabilities have been identified affecting React Server Components (CVE-2025-55182) and Next.js (CVE-2025-66478). The vulnerabilities affect default configurations of affected applications, leaving standard deployments immediately exposed and significantly widening potential impact.
Security researcher Lachlan Davidson reported the vulnerability to Meta on November 29th, 2025. React and Next.js released patched versions on December 3rd.
A public POC was confirmed on December 5th, 2025 that enables a standard server request to be manipulated into a Remote Code Execution (RCE).
Blog Coverage
For a full technical breakdown, read here. The blog covers:
- A breakdown of how the React2Shell (CVE-2025-55182) vulnerability works, showing how React's Flight protocol and deserialization logic can be exploited to achieve Remote Code Execution
- An analysis of the full exploit chain, from prototype traversal to function constructor hijacking, revealing how attacker-controlled data interacts with internal runtime state
- Overview of how runtime protection is essential for detecting this type of vulnerability
For day 1 analysis, read here. The blog covers:
- What these vulnerabilities are (at a high level) and why the default RSC deployment model increases exposure
- Which products and components are implicated (React RSC server-side packages and other frameworks)
- What to do immediately: patch guidance + deploy WAF rules
Note: Research is ongoing and the blog will be updated with new findings.