Zero‑day protection for React2Shell (CVE‑2025‑55182)

React Server Components (RSC) and Server Functions in React 19 are at the center of a new critical vulnerability, CVE‑2025‑55182, widely referred to as React2Shell. The issue is rated CVSS 10.0 and allows an unauthenticated remote attacker to achieve remote code execution (RCE) on servers handling RSC traffic.

In this post we’ll briefly cover the impact, who is affected, what you should do now, and how open-appsec and CloudGuard WAF (open-appsec's enterprise edition) provide preemptive protection, including against the recently released public proof‑of‑concept (PoC) exploits.

Understanding React2Shell (CVE‑2025‑55182)

The React team has disclosed an unauthenticated RCE vulnerability in React Server Components, specifically in how React decodes payloads sent to React Server Function endpoints.

An attacker can:

• Send a specially crafted HTTP request to a Server Function endpoint in a vulnerable deployment, and

• Have that payload deserialized in a way that leads to arbitrary code execution on the server, with no authentication and no user interaction required.

Because RSC / Server Functions are increasingly used in modern React and Next.js applications as core plumbing, this turns into a high‑impact server‑side vulnerability, comparable in urgency to other critical deserialization bugs.

Affected packages and frameworks

According to the official React advisory and GitHub’s CVE record, the vulnerability affects the following React server‑side packages:

• react-server-dom-webpack

• react-server-dom-parcel

• react-server-dom-turbopack

Vulnerable React versions

Affected frameworks and ecosystems

Several popular frameworks and tools that depend on these RSC packages are also affected, including:

• Next.js 15.x and 16.x (App Router)

  • Affected ranges include multiple 15.x and 16.x releases, as well as canary builds starting from 14.3.0‑canary.77.

  • Patched stable versions include 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7.

• React Router (unstable RSC APIs)

• Waku

• Redwood SDK

• @vitejs/plugin-rsc

• @parcel/rsc

If your React application:

• does not run on a server (pure client‑side only), or

• does not use a framework / bundler that supports RSC,

then it is not affected by CVE‑2025‑55182.

open‑appsec & CloudGuard WAF: pre‑emptive protection

open‑appsec & CloudGuard WAF use a signature‑less, machine‑learning‑based engine that analyzes full HTTP requests, including complex, nested payloads such as those used by React Server Components and Server Functions.

Instead of matching only on static strings, the engine:

• Fully decodes bodies (JSON, multipart, nested structures).

• Understands parameter relationships and request context (method, headers, path, content type).

• Scores requests based on patterns consistent with deserialization abuse and remote code execution, not just classic SQLi/XSS signatures.

As public React2Shell PoC exploits for CVE‑2025‑55182 became available, we replayed them in a controlled lab environment against applications using vulnerable React/Next.js stacks. In these tests:

This aligns with what we’ve consistently seen in previous zero‑days: once an exploit relies on abnormal protocol usage, deserialization tricks, or server‑side execution primitives, the ML‑based detection has a strong signal - even when the vulnerability itself is newly disclosed.

We are now complementing this existing protection with dedicated complementary rules tailored for React Server Components traffic, further tightening coverage while preserving low false‑positive rates.

What should you do now?

1. Identify whether you are affected

You should treat this as an emergency patching event if:

• You are using React 19 with Server Components / Server Functions, and

• Your stack relies on any of the affected packages or frameworks listed above.

In particular, you are likely affected if you run:

• Next.js with the App Router on versions:

  • 15.x or 16.x prior to the patched releases, or

  • 14.3 canary builds from 14.3.0‑canary.77 onward.

• React applications using experimental RSC features in React Router, Waku, Redwood SDK, Vite RSC plugin, or Parcel RSC.

2. Upgrade immediately

Follow the official guidance from the React and Next.js teams:

• React server components packages Upgrade to 19.0.1, 19.1.2, or 19.2.1 for:

  • react-server-dom-webpack

  • react-server-dom-parcel

  • react-server-dom-turbopack

• Next.js (App Router) Upgrade to the latest patched release in your branch

  If you are on Next.js 14.3.0‑canary.77 or later canaries, downgrade to a stable 14.x release

• Other RSC‑enabled frameworks and tools Follow the upgrade instructions from the React blog and each vendor (React Router, Redwood SDK, Waku, @vitejs/plugin-rsc, @parcel/rsc).

3. Harden your perimeter

Even after patching, we strongly recommend keeping CloudGuard AppSec / open‑appsec in Prevent mode for internet‑facing applications using React 19 and RSC‑aware frameworks.

Summary

• CVE‑2025‑55182 (React2Shell) is a critical, unauthenticated RCE in React Server Components / Server Functions with a CVSS score of 10.0.

• It impacts React 19 server packages (react-server-dom-*) and popular frameworks including Next.js 15.x/16.x App Router and several other RSC‑enabled ecosystems.

• Organizations should upgrade immediately to fixed versions of React, Next.js, and any affected RSC tooling, following the official guidance.

• In parallel, open‑appsec and CloudGuard WAF have already demonstrated pre‑emptive blocking of the newly released PoC exploit traffic for this CVE, thanks to their contextual, ML‑based detection of deserialization and RCE behavior - providing an important safety net while patches are rolled out and as exploit techniques evolve.

open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions. 

More information about open-appsec's Learning Levels can be found here. 

To achieve the best Threat Prevention results of the ML engine, read this blog. 

To learn more about how open-appsec works, see this White Paper and the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.