React Server Components Face 'React2Shell' RCE: A Historic 10/10 Critical Vulnerability Unveiled

Source
#react #security #rce #vulnerability #nextjs

A ‘historic’ and ‘disastrous’ critical vulnerability, ‘React2Shell’, has been publicly disclosed, impacting applications built with React Server Components (RSCs) and numerous frameworks including Next.js, React Router, Waku, Parcel, Bit, and RW SDK. Assigned a maximum CVSS score of 10.0, the flaw allows unauthenticated remote code execution (RCE) on the server machine, bypassing existing filters and security measures. The vulnerability stems from a critical issue in how the exposed RSC endpoint decodes payloads, enabling attackers to gain full control over the host system. Even applications not actively using React Server Functions but merely supporting the underlying React Server DOM via frameworks were vulnerable.

Lachlan Davidson responsibly disclosed the vulnerability privately on November 29th, with public disclosure by Vercel and the React team following on December 3rd, 2025, after fixes were implemented. The exploit leverages JavaScript prototype chain manipulation, specifically within the formData processing, by crafting payloads using map constructor and .then to inject and execute arbitrary code. React versions 19.1.0, 19.11, and 19.2.0 were directly affected, with patches released in versions 19.0.1, 19.1.2, and 19.2.1. Hosting providers like Vercel and Cloudflare rapidly deployed temporary Web Application Firewall (WAF) rules to mitigate initial exploitation attempts, though these were not foolproof. A real-world incident saw a self-hosted Next.js application compromised for crypto-mining due to delayed patching. Notably, a Cloudflare service interruption on December 5th, 2025, was inadvertently triggered by the global rollout of an internal WAF protection against this very ‘React to Shell’ vulnerability, highlighting the complexities of large-scale security responses and infrastructure fragility. This incident underscores the paramount importance of prompt patching and robust communication in the face of critical security vulnerabilities.