Critical RSC Bugs in React and Next.js Enable Unauthenticated Remote Code Execution

Critical RSC Bugs in React and Next.js Enable Unauthenticated Remote Code Execution Source: thehackernews.com/2025/12/c… A maximum-severity flaw has been disclosed in React Server Components (RSC) that can allow remote code execution. The vulnerability, CVE-2025-55182 — codenamed React2shell — carries a CVSS score of 10.0. According to the React team, it enables unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. The React team warns that applications may be vulnerable even if they do not implement Server Function endpoints, as long as they support React Server Components. Cloud security firm Wiz reports that the issue stems from logical deserialization errors. RSC payloads are processed in an unsafe manner, allowing an attacker to send a specially crafted HTTP request to any Server Function endpoint. When the payload is deserialized, React may execute arbitrary JavaScript code on the server without authentication.