Critical React Server Components Vulnerability Under Active State-Sponsored Attack

A critical remote code execution vulnerability in React Server Components is under active exploitation by state-sponsored threat groups, with Amazon threat intelligence confirming attacks began within hours of the vulnerability's public disclosure on December 3, 2025. The flaw, tracked as CVE-2025-55182 and dubbed "React2Shell," carries a maximum CVSS severity score of 10.0.

What's At Stake

This vulnerability affects React versions 19.0.0 through 19.2.0 and Next.js versions 15.x and 16.x using App Router. According to AWS Security, "applications are vulnerable even if they don't explicitly use server functions, as long as they support React Server Components." This means the attack surface is broader than many developers might initially assume.

The vulnerability allows unauthenticated attackers to execute arbitrary code remotely through unsafe deserialization in React Server Components' Flight protocol. AWS reported that "within hours of the public disclosure of CVE-2025-55182 on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda."

The Technical Details

Security researcher Lachlan Davidson discovered and reported the vulnerability to Meta's Bug Bounty program on November 29, 2025. According to InfoQ, the vulnerability is a case of server-side JavaScript prototype pollution that exploits how React Server Components deserialize incoming payloads.

When a client requests data rendered by a React Server Component, the server parses the incoming payload and returns a serialized representation of the component tree. The vulnerability exists in how unpatched React versions handle this deserialization process. As InfoQ explains, "Unpatched React versions do not validate the serialized payload and begin resolving it (e.g., await the promise, thus running the injected then code)."

In Davidson's original proof-of-concept, he demonstrated how attackers could craft promise-like objects that, when awaited, execute arbitrary code by calling native Node.js functions like child_process.execSync. The server-side JavaScript environment imposes minimal restrictions, allowing attackers to read files, spawn processes, and run arbitrary commands.

Active Exploitation in the Wild

AWS threat intelligence teams have documented persistent and methodical attack patterns. According to their security blog, one unattributed threat cluster spent nearly an hour on December 4, 2025, systematically troubleshooting exploitation attempts:

AWS noted that "threat actors aren't just running automated scans, but are actively debugging and refining their exploitation techniques against live targets."

The speed of exploitation underscores a critical reality. AWS stated: "When PoCs hit the internet, sophisticated threat actors are quick to weaponize them." The threat groups aren't limiting their activities to this single vulnerability—Amazon observed them simultaneously exploiting other recent N-day vulnerabilities, demonstrating a systematic approach to opportunistic attacks.

Who Is Affected

You need to patch immediately if you're running:

According to Vercel's security bulletin, the vulnerability also affects other React packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.

How to Patch

Vercel and Meta have released coordinated patches. For React, upgrade to:

For Next.js, multiple patched versions are available depending on your current version:

Vercel has made patching easier with an automated tool. Run npx fix-react2shell-next in your project root to automatically update to the appropriate patched version. The company has also deployed Vercel Agent, which can automatically detect vulnerable projects and open pull requests with the necessary upgrades.

Additional Security Measures

Patching alone isn't sufficient if your application was exposed during the vulnerability window. Vercel strongly recommends: "If your application was online and unpatched as of December 4th, 2025 at 1:00 PM PT, we strongly encourage you to rotate any secrets it uses, starting with your most critical ones."

Cloud providers have deployed additional protections:

However, AWS emphasizes that "these protections aren't substitutes for patching."

For Next.js users on Vercel, enable Standard Protection for all deployments besides your production domain. Vercel's security bulletin notes that "even if your production app has been patched, older versions could still be vulnerable." Audit shareable links from all deployments and ensure preview deployments aren't accessible to external users without proper authentication.

The Broader Context

This vulnerability highlights the risks inherent in rapid adoption of new framework features. React Server Components, introduced as a major feature in React 19, fundamentally changed how React applications handle server-side rendering and data fetching. The speed at which state-sponsored groups weaponized this vulnerability—literally hours after public disclosure—demonstrates the importance of coordinated disclosure and pre-positioning security patches.

AWS observed that many threat actors are attempting to use public proof-of-concept exploits that don't actually work in real-world scenarios, with some demonstrating "fundamental misunderstandings of the vulnerability." However, this creates significant noise in logs and potentially masks more sophisticated attacks.

The vulnerability has prompted a rare collaboration between Meta, Vercel, and major cloud providers. Vercel disclosed the vulnerability responsibly to Meta and cloud providers prior to public disclosure, enabling coordinated patching and protection deployment. Vercel has even partnered with HackerOne, offering bounties of $25,000 for high-severity and $50,000 for critical-severity reports that demonstrate successful bypasses of Vercel's protections.

What You Should Do Now

1. Check your versions immediately: Run next.version in your browser console or check your package.json

2. Patch without delay: Use npx fix-react2shell-next or manually upgrade to patched versions

3. Rotate credentials: If you were running vulnerable versions on or after December 4, rotate all secrets and API keys

4. Enable deployment protection: For Next.js on Vercel, enable Standard Protection for non-production deployments

5. Monitor your logs: Watch for exploitation attempts—signs include unusual command execution or file access patterns

6. Review your security posture: Check if you have WAF rules or other protective measures in place

The combination of maximum severity, active state-sponsored exploitation, and broad framework adoption makes this one of the most critical JavaScript vulnerabilities in recent memory. The window for exploitation remains open for any unpatched applications. Don't wait—patch today.