The cybersecurity industry is on high alert following the disclosure of a critical React vulnerability that can be exploited by a remote, unauthenticated attacker for remote code execution.
React (React.js) is an open source JavaScript library designed for creating application user interfaces. Maintained by Meta and a large community of companies and individual developers from around the world, React is widely used: it reportedly powers millions of websites, it’s used by popular online services (Airbnb, Instagram, Netflix), and its core NPM package currently has 55 million weekly downloads.
A maximum severity vulnerability, dubbed ‘React2Shell’, in the React Server Components (RSC) ‘Flight’ protocol allows remote code execution without authentication in React and Next.js applications.
The security issue stems from insecure deserialization. It received a severity score of 10/10 and has been assigned the identifiers CVE-2025-55182 for React and CVE-2025-66478 (CVE rejected in the National Vulnerability Database) for Next.js.
Security researcher Lachlan Davidson discovered the flaw and reported it to React on November 29. He found that an attacker could achieve remote code execution (RCE) by sending a specially crafted HTTP request to React Server Function endpoints.
s sent to React Server Function endpoints”, and developers have been told that even if their application does not implement any React Server Function endpoints, it could still be vulnerable if React Server Components (RSC) are supported.
At the time of writing there do not appear to be any reports of in-the-wild exploitation. However, less than 24 hours after disclosure, at least one proof-of-concept (PoC) exploit has been developed and the vulnerability has been added to scanners.
“Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components [RCS],” warns the security advisory from React.
