Detecting React2Shell: The maximum-severity RCE vulnerability affecting React Server Components and Next.js

A critical vulnerability known as "React2Shell" (CVE-2025-55182) has been discovered in React Server Components (RSCs), leading to potential unauthenticated remote code execution (RCE) with a maximum severity CVSS score of 10.0. This flaw, affecting versions 19.0.0 to 19.2.0 of react-server-dom packages, arises from unsafe deserialization in the RSC "Flight" protocol, enabling threat actors to execute arbitrary server-side code through a crafted HTTP request. Next.js and other frameworks like React Router, Waku Parcel RSC, and Vite RSC are impacted, with public proof-of-concept exploits demonstrating nearly 100% success rates against default configurations, making this vulnerability particularly susceptible to mass exploitation. The Sysdig Threat Research Team has developed a Falco detection rule to identify exploitation attempts, recommended immediate patching to fixed versions of React and Next.js, and advised deploying runtime threat detections and web application firewall (WAF) rules as temporary mitigations. While some public PoCs have inaccurately represented the exploitability, organizations are urged to update affected packages promptly to mitigate the significant security risk posed by React2Shell.