CVE-2025-55182 - React Server Components RCE

CVE-2025-55182, commonly called React2Shell, is a critical pre-authentication remote code execution vulnerability in React Server Components. The vulnerable react-server-dom-* packages can unsafely deserialize attacker-controlled HTTP payloads sent to Server Function endpoints. A React application can still be exposed even when product code did not intentionally define Server Functions, as long as the framework or bundler enables React Server Components.

This recipe is for production code owners, not exploit reproduction. A mergeable fix inventories every RSC-capable runtime, upgrades the vulnerable package or downstream framework line, refreshes generated artifacts, proves client-only React apps are not over-scoped, and documents operator work such as secret rotation when an exposed service was online before patching.

When to use it

  • A repository deploys, builds, packages, or documents React Server Components, Next.js App Router, Server Functions, server actions, or RSC-capable frameworks/plugins.
  • Resolved react-server-dom-*, Next.js, Waku, React Router RSC, Parcel RSC, Vite RSC, or Redwood SDK versions may fall in affected lines.
  • Server-side RSC request handlers may be reachable from internet-facing, internal, cross-tenant, or partner traffic while holding secrets or tenant data.
  • You need a bounded PR or triage note that upgrades the RSC stack and distinguishes affected server runtimes from client-only React apps.

Inputs

  • Package manifests, lockfiles, Dockerfiles, deployment manifests, SBOMs, generated dependency reports, build caches, app/router source, and hosting configs.
  • Resolved RSC/framework versions, server-action surfaces, request reachability, tenant boundaries, edge/WAF containment, secret exposure, and rotation owners.
  • Available install, lockfile integrity, lint/typecheck, route/server-action tests, build, E2E smoke, container build, SBOM, and dependency scan commands.

Affected versions

Surface Vulnerable versions Fixed versions
react-server-dom-webpack 19.0.0, 19.1.0, 19.1.1, 19.2.0 19.0.1, 19.1.2, 19.2.1
react-server-dom-parcel 19.0.0, 19.1.0, 19.1.1, 19.2.0 19.0.1, 19.1.2, 19.2.1
react-server-dom-turbopack 19.0.0, 19.1.0, 19.1.1, 19.2.0 19.0.1, 19.1.2, 19.2.1
next App Router stable 15.x, stable 16.x, and 14.3.0-canary.77+ canaries in the originally affected line 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12, or a later vendor-fixed release in the same line

Other affected RSC-capable surfaces named by the React advisory include React Router unstable RSC APIs, Waku, @parcel/rsc, @vitejs/plugin-rsc, and Redwood SDK. For those, upgrade the framework or plugin and the underlying react-server-dom-* package to the fixed line recommended by the vendor.

Client-only React applications, React Native applications without the vulnerable RSC packages, and applications that do not use an RSC-capable framework, bundler, or plugin are not exposed by this CVE.

Indicator-of-exposure

  • The repository resolves react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack at 19.0.0, 19.1.0, 19.1.1, or 19.2.0.
  • The repository ships a Next.js App Router app on an affected 15.x, 16.x, or 14.3 canary release, or uses another RSC-capable framework or bundler.
  • Routes, server actions, Server Function endpoints, RSC loaders, or framework action handlers are reachable from untrusted clients.
  • The server process holds environment variables, database credentials, signing keys, deployment tokens, model-provider keys, tenant data, session cookies, or other sensitive material that would require rotation after possible RCE exposure.
  • Deployment artifacts, SBOMs, Docker layers, cache keys, or package-manager lockfiles still pin an affected version even after package.json is edited.

Quick checks:

rg -n "\"next\"|react-server-dom-(webpack|parcel|turbopack)|@vitejs/plugin-rsc|@parcel/rsc|waku|rwsdk|app/|use server|server action|serverActions|Server Function|createServerReference|react-server" .
npm ls next react react-dom react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack @vitejs/plugin-rsc @parcel/rsc waku rwsdk
pnpm why next react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack @vitejs/plugin-rsc @parcel/rsc waku rwsdk
yarn why next react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack

Windows:

rg -n "\"next\"|react-server-dom-(webpack|parcel|turbopack)|@vitejs/plugin-rsc|@parcel/rsc|waku|rwsdk|app/|use server|server action|serverActions|Server Function|createServerReference|react-server" .
npm ls next react react-dom react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack @vitejs/plugin-rsc @parcel/rsc waku rwsdk
pnpm why next react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack @vitejs/plugin-rsc @parcel/rsc waku rwsdk
yarn why next react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack

Do not run public proof-of-concept requests, unauthenticated RCE probes, or internet scanners against live services during repository triage.

Remediation strategy

  • Upgrade vulnerable react-server-dom-* packages to 19.0.1+, 19.1.2+, or 19.2.1+ on the active React line.
  • For Next.js App Router, upgrade to the patched release in the repository’s active line: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12, or a later vendor-fixed release. If the app is on a vulnerable 14.3.0-canary.77+ build, follow vendor guidance to downgrade to stable 14.x or to 14.3.0-canary.76 unless a later vendor-fixed canary is explicitly required and supported.
  • For React Router RSC, Waku, @parcel/rsc, @vitejs/plugin-rsc, Redwood SDK, or other RSC-capable tooling, upgrade both the framework/plugin and any resolved react-server-dom-* package.
  • Regenerate package-lock, pnpm lock, Yarn lock, SBOMs, Docker layers, deployment manifests, dependency reports, and cache keys. Confirm the deployed artifact, not just the source manifest, resolves fixed versions.
  • Add safe regression coverage: dependency resolution assertions, RSC route smoke tests, unauthenticated request rejection before sensitive work, server-action behavior tests, build tests, and log redaction checks.
  • If an internet-facing or cross-tenant affected service was online while unpatched, patch first, then rotate secrets and review logs according to the operator’s incident-response policy. Do not dump secrets, request bodies, or customer payloads into the PR.
  • Treat hosting-provider WAF or edge mitigations as temporary containment, not as a substitute for the framework or package upgrade.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2025-55182 / GHSA-fv66-9v8q-g76r, the critical
React Server Components pre-authentication RCE also known as React2Shell.
Produce exactly one output:

- A reviewer-ready PR/change request that upgrades every affected RSC package
  or downstream framework, refreshes generated artifacts, adds safe regression
  coverage, and documents operator follow-up including secret rotation when
  exposure warrants it, or
- TRIAGE.md if this repository does not control an affected RSC-capable
  application, package, image, lockfile, deployment artifact, or framework
  runtime.

## Rules

- Scope only CVE-2025-55182 / GHSA-fv66-9v8q-g76r, downstream React2Shell
  framework exposure such as Next.js App Router, and directly related RSC
  upgrade artifacts.
- Treat cookies, sessions, JWTs, environment variables, signing keys,
  deployment tokens, model-provider keys, tenant data, prompts, customer
  content, build credentials, and logs as sensitive.
- Do not generate, run, publish, preserve, or link exploit payloads or live RCE
  probes.
- Do not rely on hosting-provider mitigations as the final fix when this
  repository controls the vulnerable package or framework version.
- Do not remove authentication, authorization, tenant isolation, route
  validation, server actions, audit logging, or tests to silence the finding.
- Do not auto-merge.

## Steps

1. Inventory every JavaScript/TypeScript workspace, package manifest,
   lockfile, SBOM, Dockerfile, deployment manifest, devcontainer, generated
   dependency report, and hosted app controlled by this repository.
2. Determine resolved versions for `next`, `react`, `react-dom`,
   `react-server-dom-webpack`, `react-server-dom-parcel`,
   `react-server-dom-turbopack`, React Router, Waku, `@parcel/rsc`,
   `@vitejs/plugin-rsc`, `rwsdk`, and any framework that enables RSC.
3. Mark a target vulnerable when it resolves:
   - `react-server-dom-webpack`, `react-server-dom-parcel`, or
     `react-server-dom-turbopack` at `19.0.0`, `19.1.0`, `19.1.1`, or
     `19.2.0`;
   - Next.js App Router on an affected 15.x or 16.x release;
   - Next.js `14.3.0-canary.77+` canaries;
   - another RSC-capable framework or bundler that vendors or depends on an
     affected React Server DOM package.
4. Prove exposure before patching: identify App Router usage, RSC routes,
   Server Functions, server actions, framework request handlers, public or
   cross-tenant reachability, and whether the process has secrets or tenant
   data that require post-patch operator action.
5. If the repository only uses client-side React, or uses React Native without
   the affected RSC packages, stop with `TRIAGE.md` listing checked files,
   resolved versions, and why no server-side RSC surface exists.
6. Upgrade affected packages and frameworks:
   - `react-server-dom-*` to `19.0.1+`, `19.1.2+`, or `19.2.1+`;
  - Next.js to `15.0.5`, `15.1.9`, `15.2.6`, `15.3.6`, `15.4.8`, `15.5.7`,
    `16.0.7`, `15.6.0-canary.58`, `16.1.0-canary.12`, or a later
    vendor-fixed release in the active line;
   - vulnerable canary releases to a vendor-listed safe canary or stable line;
   - RSC-capable framework plugins to their vendor-fixed versions.
7. Refresh package-manager lockfiles, package-manager metadata, SBOMs,
   container layers, deployment manifests, generated dependency reports, build
   caches, and docs that pin or mention the affected versions.
8. Add safe reviewer-runnable regression coverage:
   - dependency resolution asserts fixed RSC and framework versions;
   - RSC/server-action routes still work after the upgrade;
   - unauthenticated and cross-tenant requests fail before sensitive work;
   - logs redact cookies, tokens, request bodies, tenant IDs, prompts, and
     environment values;
   - build and runtime smoke tests use local fixtures, not public exploit
     payloads.
9. Add a PR body section named `CVE-2025-55182 operator actions` that states:
   - package and framework versions before and after;
   - which App Router, RSC, Server Function, or server-action surfaces were
     exposed;
   - whether the service was internet-facing, internal-only, or not reachable;
   - what hosting-provider, WAF, gateway, or rate-limit containment exists;
   - whether secrets, sessions, deployment tokens, model-provider keys, or
     tenant credentials need rotation after patch deployment;
   - which validation commands passed.
10. If immediate upgrade is blocked, add temporary containment only where this
    repository controls it: disable external reachability for affected RSC
    endpoints, enforce WAF/gateway rules, rate-limit RSC request paths, isolate
    the service from privileged credentials, and document owner, deadline, and
    residual risk in `TRIAGE.md`.
11. Run available validation: package install, lockfile consistency,
    typecheck, lint, unit tests, route/server-action tests, build, E2E smoke
    tests, container build, SBOM refresh, dependency/security scans, and
    deployment render checks.
12. Use PR title:
    `fix(sec): remediate CVE-2025-55182 in React Server Components`.

## Stop conditions

- No controlled server-side RSC-capable runtime resolves an affected package or
  framework version.
- The repository uses React only on the client and has no RSC-capable
  framework, bundler plugin, or Server Function surface.
- The fixed framework line requires a broad migration outside repository
  ownership or the current release window.
- Safe verification would require live RCE testing, public exploit payloads,
  production traffic, customer data, or real credentials.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled manifest, lockfile, image, SBOM, generated dependency report, or deployment artifact resolves a vulnerable react-server-dom-*, Next.js, or RSC-capable framework version.
  • The PR distinguishes server-side RSC/App Router exposure from client-only React applications that are not affected.
  • Tests prove fixed dependency resolution and expected RSC/server-action behavior without preserving exploit payloads.
  • Operator notes name internet-facing or cross-tenant exposure, edge containment, deployment timing, and whether secrets or sessions need rotation.
  • Hosting-provider mitigation is documented as temporary unless all vulnerable packages have been upgraded in the deployed artifact.

Output contract

  • Reviewer-ready PR upgrading affected RSC packages/frameworks and refreshing package locks, images, deployment artifacts, SBOMs, generated reports, and docs.
  • Evidence distinguishing server-side RSC/App Router exposure from client-only React, plus route/server-action smoke tests after the upgrade.
  • Operator notes for reachability, temporary edge containment, deployment timing, log review, and secret/session/token rotation when exposure warrants it.
  • TRIAGE.md when the affected runtime, framework migration, hosting artifact, or operator cleanup owner is outside this repository.

Watch for

  • Updating package.json while package-lock.json, pnpm-lock.yaml, yarn.lock, Docker images, SBOMs, or deployment caches still resolve an affected package.
  • Bumping react and react-dom while leaving react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack pinned to a vulnerable version.
  • Treating every React app as affected instead of proving whether the app has a server-side RSC-capable runtime.
  • Assuming Vercel, Netlify, Fastly, Akamai, or another edge mitigation removes the need to upgrade the vulnerable package or framework.
  • Adding diagnostics that log full request bodies, cookies, environment variables, tenant data, or prompt content during incident review.
  • Folding an unrelated Next.js major migration into the CVE PR without clear behavior validation and rollback notes.

References