Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

React2Shell: CVE-2025-55182

Max room.

Explore the CVE-2025-55182 vulnerability in React server components.

easy

45 min

10,044

User profile photo.
User profile photo.
User profile photo.

To access material, start machines and answer questions login.

In this task, we will explore -2025-55182, one of the most critical vulnerabilities discovered in December 2025, with a maximum score of 10.0. This vulnerability affects React Server Components (RSC) and the frameworks that implement them, particularly Next.js. The vulnerability, dubbed “React2Shell” by researchers, allows unauthenticated remote code execution through a single crafted request. We’ll examine the technical foundations of this flaw, understand how the React Flight protocol works, analyse the actual exploitation chain, and dissect a working proof-of-concept that demonstrates real-world remote code execution. By the end of this task, we’ll comprehend how a seemingly innocuous deserialization flaw can cascade into full system compromise.

Before we dive, in the official (opens in new tab) security advisory (opens in new tab), the vulnerable versions are 19.0, 19.1.0, 19.1.1, and 19.2.0. The vulnerability spans the following:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

To protect your systems, you need to update to version 19.0.1, 19.1.2, or 19.2.1.

Answer the questions below

Having outlined the basics, let’s now dive into the key technical notes.