Critical React2Shell Vulnerability Exploitation and Mitigation

On December 3, 2025, the React Team disclosed a critical Remote Code Execution (RCE) vulnerability, CVE-2025-55182, affecting servers using React Server Components (RSC) Flight protocol. The vulnerability, also known as React2Shell, has a CVSS score of 10.0 and allows attackers to inject logic that the server interprets in a privileged context, enabling arbitrary code execution. Threat actors quickly integrated this vulnerability into their scanning and reconnaissance routines, exploiting it at scale.

Key Technical Details and Mitigation

• The vulnerability is caused by an unsafe deserialization flaw in the RSC Flight data-handling logic.
• Exploitation is straightforward, requiring a single, specially crafted HTTP request with no authentication requirement, user interaction, or elevated permissions.
• Cloudflare has deployed new rules across its network, with the default action set to Block, to mitigate the vulnerability. These rules are included in both the Cloudflare Free Managed Ruleset and the standard Cloudflare Managed Ruleset.

Practical Implications for Developers

• Immediately update to the latest version of React Server Components to patch the vulnerability.
• Ensure that unemployed and non-production environments are also updated to prevent potential exploitation.
• Use Cloudflare's managed rulesets to block malicious traffic and protect against exploitation attempts.

Additional Vulnerabilities and Mitigation

Two additional vulnerabilities affecting specific RSC implementations were disclosed: CVE-2025-55183 and CVE-2025-55184. While distinct from React2Shell, these vulnerabilities also relate to RSC payload handling and Server Function semantics. Cloudflare has deployed additional protections to mitigate these vulnerabilities, which are detailed in the Cloudflare documentation.