React Server Components RCE: Impact on Next.js and ecosystem dependencies

December 5 update:

On December 4, 2025, AWS reported observing China-nexus cyber threat groups actively exploiting the React vulnerability (aka React2Shell) in the wild.

These groups are leveraging the unauthenticated RCE vector against exposed React Server Component endpoints to gain initial access, deploy webshells, and pivot into cloud environments.

This escalation underscores the urgency of patching React and Next.js deployments immediately, as opportunistic exploitation is now likely to occur at scale. Organizations should assume that vulnerable applications are high-value targets and prioritize both patching and layered defenses such as WAF rules, endpoint monitoring, and strict access controls to mitigate risk.

December 4 update:

Several online posts contain what appears to be proof-of-concept exploits for the React Server Components vulnerability, though most circulating publicly are assessed to be fake, incomplete, or do not result in full exploitation.

Additionally, early social media reports suggest possible exploitation in the wild, but some of this activity may simply reflect researcher probing rather than confirmed attacks.

In response, multiple vendors have released scanners to help organizations detect vulnerable deployments, and Cloudflare has introduced a WAF rule to provide temporary mitigation (for applications proxied through Cloudflare) until the patches are applied.

These scanners are designed for detection only and may miss cases where version strings are obfuscated or removed. As many of the tools are community-driven and not yet widely validated, they carry operational risk. Organizations should review code carefully before use, run untrusted scripts only in sandboxed environments, and prioritize upgrading to the latest React and Next.js releases as the definitive remediation.

Field Effect has conducted a comprehensive review of all our products and services in light of this disclosure. Our investigation confirmed that none of our systems are affected by this vulnerability.

Threat summary

On December 3, 2025, the React and Next.js teams disclosed a maximum-severity vulnerability affecting specific versions of React packages and frameworks that depend on them, including Next.js.

React is a widely used JavaScript library for building user interfaces, and Next.js is a framework built on React that provides server-side rendering and routing. Both technologies are heavily adopted in enterprise web applications and SaaS platforms. Several React-based frameworks and bundling tools either rely on, have peer dependencies for, or directly incorporate the affected packages.

The vulnerability originates in the react-server package and its implementation of the React Server Components (RSC) “Flight” protocol. A threat actor could use the issue to send a specially crafted request that the server fails to properly validate.

As a result, the attacker’s data can directly control what the server executes, leading to full remote code execution without authentication. The issue is tracked as CVE-2025-55182 in React and CVE-2025-66478 in Next.js, reflecting both the upstream flaw and its downstream impact.

The issue impacts:

• The following core React packages in versions 19.0.0 through 19.2.0:
  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack
• Next.js versions 15.x and 16.x using the App Router
• Next.js 14 Canary starting at 14.3.0-canary.77
• React RSC bundlers including:
  • next
  • react-router
  • waku
  • @parcel/rsc
  • @vitejs/plugin-rsc
  • rwsdk

Patches were released in React 19.0.1, 19.1.2, and 19.2.1, and in Next.js 15.0.5, 15.1.9, 15.4.8, 15.3.6, 15.5.7, and 16.0.7.

Researchers reported that the exploit is not technically complex and requires only a malicious HTTP request, meaning exposure exists wherever RSC endpoints are accessible. The impact is unauthenticated remote code execution, which in worst case scenario allows complete compromise of application servers and downstream access to sensitive data.

Security researchers confirmed that even newly generated Next.js applications created with default tooling (create-next-app) are vulnerable without code modifications.

Analyst insight

The flaws are exploitable in default configurations, carry maximum severity, and have already been publicly disclosed.

Because the flaw affects default configurations in widely adopted frameworks such as React and Next.js, the risk extends broadly across enterprise and SaaS environments. Even if an application does not explicitly implement React Server Functions, it is likely vulnerable if the infrastructure or framework supports RSC.

Organizations are recommended to inventory applications using React 19.x and Next.js 15.x or 16.x with App Router, upgrade to the patched versions released on December 3, and monitor for any potentially exposed applications. Refer to React and Next.js guidance for dependency-specific instructions.

Maintaining runtime security during the upgrade period is critical to reducing exposure. Restricting access to RSC endpoints and monitoring for anomalous payloads helps sustain resilience until fixes are fully deployed.

Field Effect MDR continuously monitors for vulnerabilities through advanced analytics, threat intelligence, and 24/7 visibility across endpoints, networks, and cloud environments. By correlating network traffic, endpoint behavior, and indicators of compromise, Field Effect MDR detects and blocks exploit attempts, flagging anomalies such as malformed requests, suspicious outbound connections, or unauthorized privilege changes.

Field Effect MDR clients will receive an ARO alert identifying any instances vulnerable to the noted flaws, with remediation guidance.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up