React2Shell (CVE-2025-55182 and CVE-2025-66478): How to identify and fix vulnerable assets

Last update: 6:00 PM CT, Dec. 8, 2025

Summary

On December 3, 2025, React and Vercel released information about a critical remote code execution (RCE) vulnerability affecting server-side use of React js (CVE-2025-55182) and the Next.js framework (CVE-2025-66478). Responsibly disclosed by Lachlan Davidson on November 29, 2025, this vulnerability allows an unauthenticated attacker to execute code remotely due to insecure deserialization. 

Security researchers have confirmed that this vulnerability is being actively exploited in the wild. The vulnerability has been publicly referred to as "React2Shell" and grants attackers full access to the server's environment. This vulnerability has a CVSS 3.1 base score of 10.0 (Critical) and has also been recently added to CISA KEV.

Affected systems

If you are running modern versions of React or Next.js with React Server Components (RSC) enabled, you are likely vulnerable.

Identifying affected assets with Axonius

The Axonius queries below should help you identify vulnerable code repositories (in both your repos and your employees’ repos), as well as infrastructure (servers and developer devices) at risk.

Before you begin, it's highly recommended to run a global discovery to ensure you're working with the most current data from your environment.

1. Identify vulnerable repositories

This repository query identifies code with CVE-2025-55182 or CVE-2025-66478 detected by your SAST scanners.

Go to Assets > Applications > Repositories and then search for:

Alternatively, search for affected packages within your repos. Note that while this may yield false positives, it will also detect JavaScript frameworks using RSC that might not be directly indexed by your scanners, such as Waku, React Router (RSC preview), RedwoodSDK, Vite RSC plugin, and Parcel RSC:

2. Identify vulnerable devices

This vulnerability query identifies vulnerable devices with CVE-2025-55182 or CVE-2025-66478 already identified by your vulnerability scanners or CNAPP solutions.

Go to Assets > Exposures > Vulnerabilities and then search for:

Remediation

The React team consolidated remediation measures across React and other frameworks using RSC in their security advisory. As of Dec. 9, that includes: Next JS, React Router, Expo, Redwood SDK, Waku, Vite, and React DOM components.

Additionally, the next.js advisory for CVE-2025-66478 provides more in-depth guidance for remediating Next.js repositories, including the utility fix-react2shell-next that launches an interactive tool that can check versions and perform deterministic version bumps per the recommended versions.

In addition to patching vulnerable applications, the Next.js team is strongly encouraging apps online and unpatched as of Dec. 4, 2025, at 1:00 PM PT to rotate any secrets, starting with the most critical ones. We recommend extending the same recommendation for other javascript frameworks affected by this vulnerability.

Patching is the only complete fix. If patching is delayed, you should consider:

• Disable RSC if possible (though this may break functionality).

• Deploy WAF rules provided by your cloud provider (AWS, Cloudflare, and Google Cloud Armor have released rules for "React2Shell" or "RSC Deserialization").

Providers like AWS confirmed that threat actors, including China-nexus groups (Jackpot Panda, Earth Lamia), are actively exploiting this vulnerability to deploy cryptominers (XMRig) and harvest credentials, requiring immediate action.

Learn more

• Next.js Security Advisory (CVE-2025-66478)

• React js (CVE-2025-55182)

• react2shell.com

• Theo.gg: YouTube (a developer's perspective on the vulnerability)

• Lowlevel: YouTube (a sec practitioner perspective on the vulnerability)

• Explanation and full RCE PoC for CVE-2025-55182

• AWS Security Blog: Active Exploitation

• CISA Adds One Known Exploited Vulnerability to Catalog