In December 2025, CVE-2025-55182 (React2Shell), a vulnerability in React Server Components (RSC) that enables remote code execution (RCE), was publicly disclosed. Shortly after publication, multiple security vendors reported scanning activity and suspected exploitation attempts, and CISA has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.
React2Shell is not tied to a specific framework; rather, it stems from a structural weakness in the RSC feature that affects the broader React ecosystem. This article examines the technical foundation of React2Shell, the exposure landscape of services using RSC, observed attacker activity, and the defensive strategies organizations should adopt.
React2Shell Vulnerability Overview: A Structural Flaw Allowing RCE Without Authentication
CVE-2025-55182 is caused by a validation flaw in the deserialization process of the Flight protocol, which React Server Components use to exchange state between the server and client. An attacker can achieve RCE simply by sending a crafted payload to the Server Functions endpoint without authentication, and because a PoC is already publicly available, the vulnerability is highly susceptible to automated attacks.
The impact extends to all services that use RSC, and because frameworks such as Next.js, React Router RSC, Waku, Vite RSC Plugin, Parcel RSC Plugin, and RedwoodJS share the same underlying structure, the broader React ecosystem is collectively exposed.
The official patch is available in react-server-dom-* packages version 19.0.1 / 19.1.2 / 19.2.1 or later, and the vulnerability is rated CVSS 10.0, indicating critical severity.
Exposure Analysis of React2Shell-Affected Assets Using Criminal IP
React2Shell is difficult to detect using traditional product banners or HTML content alone. React-based services are designed so that RSC components are not externally exposed, and frameworks like Next.js, which vendor React modules internally, make it even harder to identify the underlying technology stack. As a result, simple banner-based detection methods cannot reliably determine whether RSC is enabled or whether a service is exposed to this vulnerability.
In real-world environments, the most reliable detection method is to identify systems based on their HTTP response headers, and servers with RSC enabled consistently exhibit the following values.
Criminal IP Search Query: “Vary: RSC, Next-Router-State-Tree”
You can detect RSC-enabled servers in the United States using Criminal IP by applying queries based on these header patterns.
Criminal IP Search Query: “Vary: RSC, Next-Router-State-Tree” country: “US”
According to the Criminal IP Asset Search results, the query “Vary: RSC, Next-Router-State-Tree” country: “US” identified a total of 109,487 RSC-enabled assets. This header pattern indicates that RSC is active on these servers. While it does not mean that all of them are vulnerable, it is a critical indicator of the large-scale exposure surface that exists.
When examining the analysis results for a specific asset in Criminal IP, the server was found to have ports 80 and 443 exposed externally, and its response headers, SSL certificate details, vulnerability list, and Exploit DB associations could all be reviewed in a single unified page. In this asset, indicators relevant to React2Shell were identified alongside other critical vulnerabilities, including CVE-2023-44487 (HTTP/2 Rapid Reset), which has been widely abused in large-scale DDoS attacks.
This demonstrates how Criminal IP Asset Search provides multiple analysis layers that help assess whether an environment is realistically exploitable by attackers.
Security Mitigation Strategies
1. Immediate Update of React-Related Packages
Ensure that the following packages are updated to their latest versions.
| Package | Patch Version |
|---|---|
| react-server-dom-webpack | 19.0.1 / 19.1.2 / 19.2.1 |
| react-server-dom-parcel | 19.0.1+ |
| react-server-dom-turbopack | 19.0.1+ |
2. Verify Patch Availability for Each Framework
React RSC is used across multiple frameworks, including Next.js, Vite, Parcel, and RedwoodJS. Notably, Next.js vendors RSC internally, meaning that updating React packages alone may not automatically apply the fix. Therefore, it is essential to review each framework’s official security advisories or release notes and upgrade to the version in which the vulnerability has been addressed.
3. Minimize External Exposure of RSC Endpoints
Whenever possible, restrict access using a reverse proxy, WAF or authentication gateway.
4. Leverage Criminal IP for Monitoring
- Monitor exposure of RSC-related header
- Detect scanning attempts based on TLS fingerprints
- Automatically block malicious scanning IPs
- Check for vulnerability presence and associated Exploit DB entries
FAQ
Q1. Are all services that include “Vary: RSC” vulnerable?
“Vary: RSC” simply indicates that the server is rendering content using React Server Components. This header does not confirm whether the service is vulnerable. Actual risk depends on whether the server has applied the required security patches for React and its related packages. However, the presence of this header is a valuable indicator that attackers can use to identify servers with RSC enabled.
Q2. Why is it difficult to determine React usage by looking only at HTML?
React Server Components execute on the server side, and their internal structure is not exposed in the HTML output. Additionally, frameworks like Next.js and React optimize and bundle code during the build process, making it difficult to identify framework characteristics from the outside. For this reason, HTML alone cannot reliably indicate whether React or RSC is in use, and analyzing HTTP response headers is the most effective method for accurate detection.
Conclusion
React2Shell (CVE-2025-55182) is a critical vulnerability affecting the most widely used React-based services across the web ecosystem. With low exploitation complexity and publicly available PoCs, active attacks are spreading rapidly.
According to Criminal IP analysis, approximately 110,000 RSC-enabled services in the United States are exposed, underscoring the substantial risk of widespread exploitation. In addition to applying patches, identifying exposed RSC services and conducting real-time monitoring are essential components of an effective React2Shell response strategy. Criminal IP provides one of the most effective tools for accurately mapping this attack surface and strengthening defensive measures.
In relation to this, you can refer to Next.js Middleware Vulnerability Allows Authentication Bypass: Over 520K Assets at Risk
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Sources: Criminal IP (https://www.criminalip.io), CISA (https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-catalog), The Hacker News (https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html)
Related Article: https://www.criminalip.io/knowledge-hub/blog/26952