React2Shell (CVE-2025-55182): Critical Remote Code Execution in React Server Components

CVE-2025-55182 is a critical, pre-authentication remote code execution vulnerability in React Server Components, carrying a CVSS score of 10.0 - the highest possible severity rating. As part of the OPSWAT Cybersecurity Fellowship Program, our fellows conducted a comprehensive technical analysis of this vulnerability, examining its root cause in the React Flight deserialization protocol, the full exploitation chain, and its widespread impact across the modern web ecosystem. This blog presents our findings alongside actionable guidance for defenders.

React has become one of the most widely adopted front-end libraries in the world, powering a significant share of modern web and mobile applications. Stack Overflow developer surveys consistently rank React among the top web frameworks, with adoption exceeding 40% of professional developers globally. In parallel with this growth, the React team introduced React Server Components (RSC) as a core feature of React 19 - a paradigm shift that moves rendering logic from the client to the server, enabling optimized performance and tighter integration between server-side and client-side code.

However, this architectural evolution introduced a critical new attack surface. On November 29, 2025, security researcher Lachlan Davidson reported a vulnerability in React’s server-side deserialization logic to Meta’s Bug Bounty program. Disclosed publicly on December 3, 2025, as CVE-2025-55182, the flaw enables unauthenticated remote code execution through a single crafted HTTP request. Classified as CWE-502 (Deserialization of Untrusted Data), the vulnerability requires no authentication, no user interaction, and no special application configuration - a default create-next-app deployment built for production is immediately exploitable.

React is a JavaScript library for building user interfaces, maintained by Meta and a broad open-source community. React Server Components (RSC), introduced with React 19, represent a fundamental shift in how React applications handle rendering. Unlike traditional client components that execute entirely in the browser, server components execute on the server, producing a serialized representation of the UI that is streamed to the client. This design reduces the amount of JavaScript shipped to the browser, improves time-to-interactive metrics, and enables direct access to server-side resources such as databases and file systems.

When a client invokes a Server Function, the browser sends an HTTP POST request with a multipart/form-data body. Each form field contains a numbered “chunk” of serialized data. The Flight protocol uses special string prefixes to encode data types: $<id> references the resolved value of another chunk, $@<id> references the raw chunk object itself, $W<id> represents a Set, $K<id> represents FormData, and $B<id> triggers the blob handler.

Consider a Server Function defined as follows:

The corresponding HTTP request contains multiple form fields, each consisting of a key and a value: field 0 contains the argument array with references such as "$W1" and "$K2", while fields 1 and 2_* contain the data those references resolve to. The server processes each field as it arrives, storing intermediate results in objects called “chunks”.

A chunk is a thenable object with four key properties: status (the resolution state), value (the stored data), reason (error information), and _response (a back-reference to the parent response object). When the server encounters await chunk, the chunk’s .then() method is invoked. If the chunk’s status is INITIALIZED, the resolve callback receives chunk.value. If the status is PENDING, BLOCKED, or CYCLIC, the callbacks are queued for later execution.

The following traces how Next.js processes an incoming Server Function request under normal conditions, from the HTTP layer through the React Flight deserialization engine.

When a Server Function is invoked, the request enters the handleAction function. This function validates metadata, checks headers and CSRF tokens, and confirms that the request is a valid fetch action. A stream called busboyStream is then created to parse the multipart form body. The decodeReplyFromBusboy function binds event emitters to this stream, triggering the React Server’s deserialization handler functions as raw data is received. The return value of decodeReplyFromBusboy is chunk_0; the await operator resolves it and passes its assembled value to the invoked Server Function.

The getChunk function returns the chunk corresponding to a given ID. If that chunk does not yet exist, it creates either a ResolvedModelChunk (if data is already present in response._formData) or a PendingChunk (if no data has arrived for that ID yet).

When decodeReplyFromBusboy returns chunk_0, the chunk is still in the PENDING state. The await operator calls chunk_0.then() and temporarily stores the resolve and reject callbacks in chunk_0.value and chunk_0.reason. These callbacks are reactivated by the wakeChunk function once reference resolution completes.

When busboyStream receives a complete raw data field, it triggers the 'field' event emitter, invokes the resolveField function, and initiates deserialization - converting raw form data into fully constructed JavaScript objects. The following functions govern this process.

resolveField(response, key, value)

The key and value are appended to response._formData. The function then retrieves the chunk corresponding to the ID matching the key. If that chunk already exists, resolveModelChunk is called to reconstruct it. This deferred resolution is necessary because a value may contain references to fields whose raw data has not yet arrived; in that case, the React Server creates a PendingChunk with custom resolve and reject callbacks to handle those references later.

resolveModelChunk(chunk, value, id)

resolveModelChunk creates a ResolvedModelChunk with the RESOLVED_MODEL state and injects the raw data. It then reconstructs the chunk via initializeModelChunk and calls wakeChunk to trigger any queued resolve and reject callbacks, completing the resolution of the object or reference.

initializeModelChunk(chunk)

initializeModelChunk transitions the chunk’s state to CYCLIC - indicating that reference resolution is in progress - and begins deserialization. It constructs a raw JavaScript object from chunk.value using JSON.parse, then passes this object into the reviveModel function.

reviveModel(response, parentObj, parentKey, value, reference)

reviveModel recursively processes each component within the parsed object. When it encounters a string value, it calls parseModelString to handle it.

parseModelString(response, obj, key, value, reference)

parseModelString dispatches on the string prefix to handle different encoded types. For references beginning with $, the getOutlinedModel function is called to resolve the cross-chunk reference.

getOutlinedModel(response, reference, parentObject, key, map)

CVE-2025-55182 originates from insufficient input validation in the getOutlinedModel() function within React’s server-side Flight reply handler (ReactFlightReplyServer.js). When a chunk reference includes a property path - such as $<id>:<prop1>:<prop2> - the function resolves it by traversing the specified properties on the target chunk object, computing the result as chunk[prop1][prop2].

The critical flaw is that these property names are never validated. The server does not verify whether the requested properties are own properties of the object or inherited prototype properties. An attacker can therefore include __proto__ in the property path to traverse the prototype chain and reach internal methods that should never be accessible from user-controlled input. For example, the reference $1:__proto__:then resolves to Chunk.prototype.then - a function the attacker can then invoke with controlled arguments.

The exploitation chain leverages two distinct code paths in React’s Flight deserialization logic.

The first is Chunk.prototype.then, which governs how chunks behave as thenables. When await is applied to a chunk in the INITIALIZED state, resolve(chunk.value) is called. If chunk.value is itself a thenable (an object with a .then() method) the await operator recursively invokes chunk.value.then(). This recursive resolution is the mechanism through which an attacker redirects execution to an arbitrary function.

The second is the $B (blob) prefix handler within parseModelString():

In the $B case, the function calls response._formData.get(response._prefix + id). Both _formData.get and _prefix are properties of the _response object stored inside the chunk. By controlling these properties through prototype chain traversal, an attacker can redirect this call to invoke the global Function constructor with arbitrary code as its argument.

Through prototype chain traversal, an attacker reaches the global Function constructor via the path <any_object>.constructor.constructor. Because Chunk.prototype.then is a function, the path $1:constructor:constructor resolves to the global Function constructor, which accepts a string and returns a callable function containing that code.

To demonstrate the potential real-world impact, our fellows constructed a proof-of-concept payload consistent with the independently documented analysis from multiple security research teams. The exploit operates in two stages:

Stage 1 - Construct the fake chunk:

The object delivered in field 0 acts as a fake chunk. Its then property is set to Chunk.prototype.then via the reference path $1:__proto__:then, allowing the Flight deserialization engine to invoke prototype-level behavior on this attacker-constructed object. The _response._formData.get property is pointed at the global Function constructor via $1:constructor:constructor, and _response._prefix is set to the malicious JavaScript code. The value field contains the string {"then": "$B0"}, instructing the blob handler to invoke itself on the same chunk when resolved. The status field is set to resolved_model so that initializeModelChunk is triggered when .then() is called, causing value to be parsed and the blob handler to fire.

Because field 1 has not yet been received at this point, the React Server temporarily creates resolve and reject callbacks to handle the pending reference.

Stage 2 - Trigger resolution:

Once field 1 - containing "$@0", a raw reference to chunk 0 - is delivered, the pending chunk resolves and points directly to the fake chunk. This triggers wakeChunk, which processes the queued callbacks and initiates prototype chain traversal during reference resolution. Once the fake chunk is fully resolved, wakeChunk is called again. Because the resolve callback for the fake chunk is the implicit Node.js resolution function, it invokes the chunk’s .then() method and resolves its value - ultimately constructing and executing the injected malicious code via the Function constructor.

The complete exploit requires only a single HTTP request:

Our fellows reproduced the vulnerability in a controlled lab environment using a standard Next.js application generated with create-next-app and built for production - with no modifications to the default configuration. The reproduction confirmed that the single-request exploit payload described above achieves reliable remote code execution.

The React team released patches on December 3, 2025 - the same day the vulnerability was publicly disclosed. Fixed versions are available as React 19.0.1, 19.1.2, and 19.2.1. The patch adds strict property validation in getOutlinedModel() and reviveModel(), explicitly blocking resolution of inherited prototype properties - including __proto__, constructor, and prototype - from user-controlled reference paths in Flight payloads.

Organizations should take the following immediate actions:

1. Upgrade React packages to a patched version (19.0.1, 19.1.2, or 19.2.1) by running npm install react-server-dom-webpack@latest, react-server-dom-parcel@latest, or react-server-dom-turbopack@latest as appropriate.
2. Upgrade framework dependencies - Next.js, React Router, Waku, and other affected frameworks have released corresponding patches. Consult the React team advisory for version-specific upgrade paths.
3. Do not rely solely on hosting provider mitigations - while providers such as Vercel deployed temporary WAF rules following disclosure, these are stop-gap measures and do not substitute for patching the underlying packages.
4. Audit server logs for POST requests bearing Next-Action headers with multipart/form-data bodies containing $@ or __proto__ patterns, and monitor for unexpected child_process or execSync invocations in application logs.

OPSWAT SBOM, a proprietary technology within the MetaDefender™ platform, provides the visibility and control necessary to defend against vulnerabilities like CVE-2025-55182. Because this flaw resides in open-source npm packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack), organizations must first establish a complete inventory of where these components are deployed across their infrastructure before effective remediation is possible.