TL;DR: A critical vulnerability (CVE-2025-55182) in React Server Components and Next.js allows unauthenticated attackers to execute arbitrary code on web servers with a single HTTP request. Rated CVSS 10.0 (the maximum severity score), the flaw affects 39% of cloud environments according to Wiz. Chinese state-sponsored groups began exploiting it within hours of disclosure on December 3, 2025. Attackers can steal databases, user credentials, API keys, and personal data without any authentication. If you run a React 19 or Next.js 15/16 application, patch immediately. GDPR breach notifications may be required for compromised European services.

The Most Dangerous Web Vulnerability of 2025

On December 3, 2025, security researcher Lachlan Davidson publicly disclosed CVE-2025-55182, a critical remote code execution vulnerability in React Server Components that has earned the nickname "React2Shell."[1] The flaw carries a perfect CVSS score of 10.0, the maximum possible severity rating, and allows any unauthenticated attacker on the internet to execute arbitrary code on vulnerable servers with nothing more than a crafted HTTP POST request.[2]

Within 48 hours, exploitation went from theoretical to widespread. By December 5, security firm Wiz reported that their sensors had detected active compromises across multiple organizations, with the first confirmed victims appearing at 6:00 AM UTC.[3]

Scale of Exposure

Wiz researchers estimate that 39% of cloud environments contain vulnerable React or Next.js instances. Next.js is present in 69% of all cloud environments, with 61% of those running public-facing applications. This means approximately 44% of all cloud environments have publicly exposed Next.js instances, many of them vulnerable.[3]

How the Attack Works

The vulnerability exploits a flaw in how React Server Components handle serialized data through the "Flight" protocol. When a React application uses Server Actions (the modern way to handle form submissions and data mutations), it deserializes incoming payloads to execute server-side code. A missing security check allows attackers to inject malicious payloads that bypass the normal deserialization process, resulting in arbitrary code execution.[4]

The attack is trivial to execute. A proof-of-concept exploit was published on GitHub on December 4 by security engineer Moritz Sanft, demonstrating that even a blank Next.js application created through create-next-app is vulnerable.[5] No special configuration is required. Default installations are exploitable.

Privacy and Data Breach Implications

Remote code execution on a web server is the most severe class of vulnerability because it grants attackers the same access as the application itself. For React and Next.js applications, which frequently handle user authentication, payment processing, and sensitive personal data, the privacy implications are catastrophic.

What Attackers Can Access

Complete Data Exfiltration

Once an attacker achieves code execution, they can:

  • Read entire databases: User records, passwords (even hashed ones), payment information, personal messages, health data, and any other information stored by the application
  • Steal API keys and secrets: AWS credentials, Stripe keys, database connection strings, and third-party service tokens stored in environment variables
  • Access internal systems: Use the compromised server as a pivot point for lateral movement into backend databases, admin panels, and internal APIs
  • Modify application behavior: Inject malicious code into the application to steal user credentials in real-time, redirect payments, or serve malware to visitors
  • Install persistent backdoors: Maintain access even after the vulnerability is patched[6]

Personal Data at Risk

The types of personal data exposed depend on the application, but commonly include:

  • Full names, email addresses, and phone numbers
  • Physical addresses and location data
  • Payment card details and billing information
  • Authentication credentials and session tokens
  • Private messages and user-generated content
  • Health and medical information (for healthcare apps)
  • Financial records (for banking and fintech apps)
  • Employment and HR data (for enterprise applications)

GDPR and Regulatory Exposure

European organizations running vulnerable React or Next.js applications face significant regulatory risk. Under GDPR, a personal data breach must be reported to supervisory authorities within 72 hours of discovery. Organizations that cannot demonstrate they patched promptly, or that fail to notify affected users, face fines of up to 4% of global annual revenue or €20 million, whichever is higher.[7]

The vulnerability's ease of exploitation and widespread impact means regulators will likely scrutinize organizations that were slow to respond. Unlike complex attacks that require specific configurations, React2Shell affects default installations. "We didn't know" will not be an acceptable defense.

State-Sponsored Exploitation

The speed of exploitation has been unprecedented. Amazon Web Services threat intelligence teams reported that within hours of the December 3 disclosure, multiple China-nexus threat groups began active exploitation campaigns.[8]

Known Threat Actors

  • Earth Lamia: A Chinese cyber threat group known for exploiting web application vulnerabilities to target financial services, logistics, retail, universities, and government organizations across Latin America, the Middle East, and Southeast Asia. Active since 2023.
  • Jackpot Panda: A Chinese threat actor targeting entities in East and Southeast Asia, primarily for intelligence collection related to domestic security and corruption concerns. Operating since 2020.

AWS researchers observed these groups debugging exploits in real-time against honeypot systems, refining their payloads on the fly. As one AWS analyst noted: "These aren't script kiddies running automated scans. These are well-resourced operators with processes built to weaponize new vulnerabilities within hours of disclosure."[8]

Attack Patterns Observed

Initial exploitation attempts focused on:

  • Running discovery commands (e.g., whoami) to confirm code execution
  • Writing test files (/tmp/pwned.txt) to verify write access
  • Reading sensitive system files (/etc/passwd) to enumerate users
  • Exfiltrating environment variables containing API keys and credentials

These are reconnaissance activities. The actual data theft and persistent access establishment likely follows, often going undetected for weeks or months.

Affected Software

React Packages

The vulnerability affects React Server Components in versions:

  • react-server-dom-webpack: 19.0.0, 19.1.0, 19.1.1, 19.2.0
  • react-server-dom-parcel: 19.0.0, 19.1.0, 19.1.1, 19.2.0
  • react-server-dom-turbopack: 19.0.0, 19.1.0, 19.1.1, 19.2.0

Next.js Versions

Vulnerable versions include: 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, and 16.0.6[9]

Other Affected Frameworks

Any framework using React Server Components is affected:

  • React Router (with RSC support)
  • Waku
  • @parcel/rsc
  • @vitejs/plugin-rsc
  • rwsdk (Redwood)

What's NOT Affected

  • React 18 and earlier (no Server Components)
  • Next.js 13.x and 14.x stable releases
  • Next.js Pages Router (only App Router with Server Actions)
  • Static exports and sites without server-side rendering
  • Client-side only React applications

What You Should Do Now

For Organizations Running React/Next.js

1. Patch Immediately

Upgrade to patched versions: React 19.0.1, 19.1.2, or 19.2.1. For Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7. This is not a "schedule for next sprint" issue. Deploy patches today.[9]

2. Enable WAF Protection

Cloudflare, Vercel, Akamai, and Google Cloud have deployed WAF rules to block exploitation attempts. If you use these services, ensure your traffic is proxied through their WAF. Note: WAF protection buys time but is not a substitute for patching.[10]

3. Check for Compromise

Review server logs for suspicious POST requests to Server Action endpoints. Look for unusual file writes, outbound network connections, or unexpected processes. Assume compromise if you were running vulnerable versions publicly.

4. Rotate Credentials

If your application may have been compromised, rotate all API keys, database passwords, and secrets stored in environment variables. Attackers with code execution can read these values directly from the server environment.

For Users of Affected Services

Change Passwords

If you use web applications built with modern React (look for smooth, app-like interfaces with instant navigation), consider changing your passwords as a precaution, especially for financial, healthcare, or email services.

Monitor Accounts

Watch for unauthorized transactions, unexpected password reset emails, or suspicious login notifications. Enable two-factor authentication wherever possible.

Check for Breach Notifications

Over the coming weeks, organizations that were compromised will be required to notify affected users. Monitor your email for breach notification letters and take recommended actions promptly.

The Bigger Picture: Supply Chain Risk

React is the most popular JavaScript framework in the world, used by millions of websites and applications. Next.js, built on React, powers sites ranging from small blogs to major e-commerce platforms and enterprise applications. This vulnerability demonstrates the systemic risk inherent in modern web development's reliance on shared infrastructure.[11]

When a single flaw in a foundational library can expose 39% of cloud environments to remote code execution, the security model of the entire web ecosystem is called into question. Organizations have limited visibility into the dependencies their applications rely on, and patching cycles often lag weeks or months behind vulnerability disclosures.

Collateral Damage

The rush to deploy fixes has already caused problems. On December 5, Cloudflare suffered a major service outage after a faulty WAF update intended to protect against React2Shell knocked out 28% of traffic for 25 minutes. This was Cloudflare's second major outage in two weeks.[12]

The incident illustrates the cascading effects of critical vulnerabilities: even the security measures meant to protect against exploitation can cause widespread disruption when deployed under pressure.

What Comes Next

CISA has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog, which means federal agencies are required to patch within a defined timeline. Private sector organizations should treat this as an operational emergency.[5]

Expect the following in coming weeks:

  • Breach disclosures: Organizations that were compromised before patching will be required to notify affected users under GDPR, CCPA, and other privacy laws
  • Regulatory scrutiny: Data protection authorities may investigate organizations that failed to patch promptly
  • Continued exploitation: Even with patches available, many organizations will remain vulnerable for weeks or months due to slow update cycles
  • Supply chain audits: Security teams will face pressure to inventory and monitor open-source dependencies more aggressively

React2Shell is a wake-up call. The same properties that make modern frameworks productive (abstraction, convention over configuration, seamless server-client integration) also concentrate risk. When the foundation cracks, everything built on top is exposed.

References

  1. React. "Critical Security Vulnerability in React Server Components." December 3, 2025.
  2. National Vulnerability Database. "CVE-2025-55182 Detail."
  3. Wiz. "Critical RCE Vulnerabilities Discovered in React & Next.js."
  4. Datadog Security Labs. "CVE-2025-55182 (React2Shell): Remote code execution in React Server Components and Next.js."
  5. Tenable. "CVE-2025-55182: Frequently Asked Questions About React2Shell."
  6. Palo Alto Networks Unit 42. "Critical Vulnerabilities in React Server Components and Next.js."
  7. Kaspersky. "CVE-2025-55182 vulnerability in React and Next.js."
  8. Amazon Web Services. "China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)."
  9. Next.js. "Security Advisory: CVE-2025-66478."
  10. Cloudflare. "Cloudflare WAF proactively protects against React vulnerability."
  11. Flashpoint. "Digital Supply Chain Risk: Critical Vulnerability Affecting React Allows for Unauthorized Remote Code Execution."
  12. Cybernews. "Cloudflare December outage result of faulty update."