PwnTrends

PwnTrends · Security Write-up

React2Shell — Critical React & Next.js RCE Vulnerability Explained (CVE-2025-55182 / CVE-2025-66478)

Author avatar
PwnTrends Research
·Dec 08, 2025·4 min read
react2shellreact vulnerabilitynextjs rcecve-2025-55182cve-2025-66478

React2Shell — Understanding the Critical React/Next.js RCE Vulnerability (CVE-2025-55182 & CVE-2025-66478)

Date: 2025-12-08
Tags: react2shell, cybersecurity, nextjs, rce, web-security
Summary: A simple explanation of the 10.0 critical severity vulnerability affecting server-side React.js and Next.js, including how it works, how scanners detect it, and why it matters.

Overview: What Is React2Shell?

In late November 2025, a critical 10.0 RCE (Remote Code Execution) vulnerability was discovered in React Server Components (RSC).
This issue affects:

  • React.js (server-side usage)CVE-2025-55182

  • Next.js frameworkCVE-2025-66478

The vulnerability was responsibly disclosed by Lachlan Davidson on 29 November 2025, and React + Vercel released patches on 3 December 2025.

This bug is extremely dangerous because:

✔ No authentication needed
✔ Works on default Next.js configurations
✔ Leads directly to Remote Code Execution
✔ Millions of applications use React Server Components

Because of the severity and simplicity of the attack, this exploit is now known as React2Shell.

Why This Vulnerability Is Critical

This issue allows an attacker to manipulate how React Server Components interpret special colon notation (:) in multipart form data.

When React processes values like:

"$1:a:b"

…it tries to navigate object properties using a.b.

When the property does not exist, React crashes and exposes internal behavior — and in vulnerable versions, this crash directly leads to exploitable conditions that result in RCE on the server.

This is why the CVSS score is 10.0 — Critical.

How the Vulnerability Actually Works (Simple Explanation)

React Server Components allow data to be referenced using the pattern:

$<formField>:<key>:<subkey>

So if the server receives:

["$1:a:b"]

React interprets this as:

“Look into field 1 → property a → property b”

For example:

Field 1: {"a": {"b": "foo"}}

The result would be "foo".

But here is the dangerous part:

If the attacker sends:

["$1:a:a"]

And the matching JSON is:

{}

React tries to access:

{}.a.a → undefined.a → crash → RCE path

Patched React now performs a simple safety check:

if property does not exist → ignore

But old versions crash, making them exploitable.

High-Fidelity Detection (Safe Check)

Assetnote discovered a safe and reliable HTTP request that can confirm if a Next.js application is vulnerable.

A vulnerable server responds with:

  • HTTP 500

  • Body containing:

    E{"digest":

Example response:

HTTP/1.1 500 Internal Server Error Content-Type: text/x-component  0:{"a":"$@1","f":"","b":"yd-J8UfWl70zwtaAy83s7"} 1:E{"digest":"2971658870"}

👉 The key indicator is:

500 + `E{"digest"

This gives extremely high confidence without crashing the application or using malicious payloads.

🛠️ Using the React2Shell Scanner

Assetnote released an official scanner:

🔗 https://github.com/assetnote/react2shell-scanner

Installation

python -m venv venv source venv/bin/activate pip install -r requirements.txt

Scan a single host

python3 scanner.py -u https://example.com

Scan multiple hosts

python3 scanner.py -l hosts.txt

Save results

python3 scanner.py -l hosts.txt -t 20 -o results.json

Custom headers

python3 scanner.py -u https://example.com -H "Authorization: Bearer token"

Safe-mode scan

python3 scanner.py -u https://example.com --safe-check

How Developers Should Fix the Issue

To stay safe:

✔ Update React to patched versions

React team released fixed builds on 3 December 2025.

✔ Update Next.js to patched versions

Run:

npm install next@latest

✔ Rebuild and redeploy affected applications

✔ Scan your entire attack surface

Because this bug is trivial to detect and extremely easy to exploit, scanning externally-facing systems is essential.

Why This Matters to the Whole Community

React and Next.js power:

  • SaaS platforms

  • Banking dashboards

  • E-commerce sites

  • Internal admin panels

  • API backends

A single missed update could expose an entire organization to widespread compromise.

This vulnerability is not “theoretical”.
It is real, simple, and already widely scanned across the internet.

Final Thoughts — Stay Updated, Stay Safe

React2Shell is a powerful reminder that:

  • Even the most popular frameworks can have severe design-level issues

  • Server-side features introduce new attack surfaces

  • Safe coding practices matter

  • Quick patching saves organizations from massive breaches

The cybersecurity world changes every day — and our responsibility is to stay ahead of it.

At PwnTrends, our mission is simple:

Explain complex security topics in simple English,
and help learners become real security professionals.

Stay safe, keep learning, and keep exploring vulnerabilities — responsibly. ⚡

TAGSreact2shellreact vulnerabilitynextjs rcecve-2025-55182cve-2025-66478

Related security posts

Dec 08, 2025 · 1 min read

About PwnTrends.com