RSC — CVE-2025-55182

CVE-2025-55182 ("React2Shell") is a critical remote code execution vulnerability affecting React Server Components (RSC), specifically versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. The flaw arises from unsafe deserialization of client-supplied payloads, which can allow an attacker to execute arbitrary code on the server without authentication. Even applications with minimal RSC usage may be exposed if server functions are exposed.

Exploitation can lead to full server compromise, including complete loss of confidentiality, integrity, and availability.

CVSS 3.1 Score: 10.0
Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The flaw is not limited to the core React Server Components packages (react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack) but also affects frameworks and libraries that bundle RSC functionality. Notably, Next.js App Router versions >=14.3.0-canary.77, >=15, and >=16 are impacted. This Next.js-specific issue has been assigned CVE-2025-66478 (CVSS score: 10.0), with patched releases now available. Other affected ecosystems include Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku. This highlights the broad potential impact for any application using bundled server components.

Root cause

In requireModule(), exports are accessed via bracket notation without hasOwnProperty check:

export function requireModule<T>(metadata: ClientReference<T>): T {
  const moduleExports = parcelRequire(metadata[ID]);
  if (hasOwnProperty.call(moduleExports, metadata[NAME])) {
    return moduleExports[metadata[NAME]];
  }
  return (undefined: any);
}

POC || GTFO

To test this vulnerability, a development environment using Docker is available on Github.

kiot :: ~/react2shell » docker compose build
kiot :: ~/react2shell » docker compose up -d