RSC - CVE-2025-55182
CVE‑2025‑55182 ("React2Shell") is a critical remote code execution vulnerability affecting React Server Components (RSC), specifically versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. The flaw arises from unsafe deserialization of client-supplied payloads, which can allow an attacker to execute arbitrary code on the server without authentication. Even applications with minimal RSC usage may be exposed if server functions are exposed.
Exploitation can lead to full server compromise, including complete loss of confidentiality, integrity, and availability.
CVSS 3.1 Score: 10.0
Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
The flaw is not limited to the core React Server Components packages (react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack) but also affects frameworks and libraries that bundle RSC functionality. Notably, Next.js App Router versions >=14.3.0-canary.77, >=15, and >=16 are impacted. This Next.js-specific issue has been assigned CVE-2025-66478 (CVSS score: 10.0), with patched releases now available. Other affected ecosystems include Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku. This highlights the broad potential impact for any application using bundled server components.
Root cause
In requireModule(), exports are accessed via bracket notation without hasOwnProperty check:
@@ -78,7 +80,10 @@ export function preloadModule<T>(
export function requireModule<T>(metadata: ClientReference<T>): T {
const moduleExports = parcelRequire(metadata[ID]);
- return moduleExports[metadata[NAME]];
+ if (hasOwnProperty.call(moduleExports, metadata[NAME])) {
+ return moduleExports[metadata[NAME]];
+ }
+ return (undefined: any);
}POC || GTFO
To test this vulnerability I've created a dev environment using Docker. All files are available on my Github.
Last updated
Was this helpful?