React2Shell: CVE-2025-55182
Carapace Security Innovation Lead Lachlan Davidson has discovered and reported an unauthenticated remote code execution vulnerability in React Server Components (RSC), dubbed react2shell. This also impacts unpatched Next.js instances in a default configuration as well as other frameworks leveraging RSC. This vulnerability is rated CVSS 10.0 and is being tracked as CVE-2025-55182 in React.
We recommend upgrading to a patched version of React, Next.js, or other affected frameworks immediately to mitigate this vulnerability. This advisory will be updated with technical details and a Proof of Concept once sufficient time has passed to allow affected parties to patch. Please see the associated security advisories from React and Next.js in the meantime.
Proof of Concept
We can confirm there is a valid PoC circulating, we expect to see a significant uptick in malicious exploitation and want to emphasise the urgency of patching if you are running any of the affected frameworks. Lachlan will be updating this advisory with technical details in the near future.
Technical Details
Coming soon…