·10 min read
Understanding React2Shell (CVE-2025-55182)
Deep dive into the critical React Server Components vulnerability that allows unauthenticated remote code execution.
Understanding React2Shell
CVE-2025-55182 is a critical vulnerability in React Server Components.
How It Works
The vulnerability exploits the Flight protocol deserialization.
// The vulnerable pattern
const exports = moduleTable[id];
const fn = exports[name]; // No validation!
Affected Versions
- Next.js 15.x < 15.5.7
- React 19.x with RSC
Mitigation
Upgrade to patched versions immediately.