Editorial coverage · CVE-2025-55182
The endpoint nobody created.
React's Flight deserializer trusted that payloads came from React clients because the wire format was proprietary. Proprietary is not authentication. Every Next.js App Router project generated since 13.4 shipped with a server-side endpoint the developer never explicitly chose to expose — implicit attack surface, deserializer trust, and a 200-byte POST that landed pre-auth code execution at CVSS 10.0.
What we say
The deserializer trusted that the payload came from React.
That sentence is the entire vulnerability. React Server Components send
a serialized UI description from server to browser over a wire format
called Flight — a proprietary, React-specific encoding for streams of
component output, function references, and promise chunks. Server
Functions accept POSTs in the same format, deserialize the payload on
the server, and execute the request with full Node.js privileges. The
Flight deserializer was written under the assumption that anything
arriving in the Flight wire format was emitted by a trusted React
client somewhere upstream. The assumption is wrong on its face — the
deserializer parses bytes; bytes have no provenance — and the bug is
the moment a crafted Chunk object with a hostile then method
hijacked promise resolution inside the decoder. But the bug is the
mechanism; the assumption is the design.
This is the same trust-assumption shape we have written about on
perimeter equipment. FortiOS’s CVE-2024-55591 trusted that requests to
/ws/cli/ were localhost-originated because the WebSocket proxy was
inside the management plane. SAP NetWeaver’s CVE-2025-31324 trusted
that callers of the Visual Composer deployment endpoint were
authenticated developers because the developer tier was behind the
portal. SharePoint’s CVE-2025-49706 trusted that requests to ToolPane
came from a logged-in user because the Referer header pointed at
SignOut.aspx. In each case the runtime could not verify the property
the authentication design treated as load-bearing. React2Shell applies
the same shape to a framework-default endpoint: the runtime cannot
verify that bytes in the Flight format were emitted by a React client,
because nothing about the bytes carries that property. Proprietary is
not authentication.
The framework-default question is the part that makes this CVE
operationally different from the perimeter cases. A FortiGate is an
appliance an operator chose to deploy at a specific network boundary,
and the management plane the auth bypass landed against is a surface
the operator explicitly enabled. The Flight endpoint that CVE-2025-55182
exploits is not like that. Every project created with create-next-app
since version 13.4 ships with App Router enabled. The Flight endpoint
is implicitly active. There is no Server Function declaration to grep
for; there is no route the developer wrote down. The application has
server-side attack surface because the framework made server-side
rendering the default, and the development team adopted the default
because the framework documentation recommended it. Nobody on the team
explicitly decided to expose a deserialization endpoint to the public
internet. The endpoint exists anyway.
Shadowserver counted 137,200-plus internet-exposed IPs running vulnerable code on December 11, 2025. Wiz reported 39 percent of analyzed cloud environments contained vulnerable versions. Those numbers are not measurements of how many teams made bad choices; they are measurements of how many teams followed the framework’s documented path. The exploitation tempo confirmed that the attack surface was worth the cost to weaponize: Weaxor ransomware deployment within one minute of initial access on December 5 (the same day CISA added the CVE to KEV), 35,000-plus daily exploitation attempts by December 10 per Kaspersky telemetry, Earth Lamia and Jackpot Panda harvesting cloud credentials, opportunistic mass-scanning across the Next.js host space within 72 hours. The companion field note carries the timeline, the indicators, the patching mechanics, and the fleet-rebuild problem in full.
The narrow remediation is the one Vercel’s bulletin describes: run
npx fix-react2shell-next --fix, accept the lockfile churn, rebuild,
redeploy, rotate secrets if logs show the Flight endpoint was hit
during the exposure window. The tooling is good. The disclosure
turnaround was fast. The vendor response is, in operator terms, the
best version of how this kind of disclosure can go. The wider lesson
is not about React or Vercel or Meta Bug Bounty’s intake speed. It is
that framework defaults create attack surface the development team did
not enumerate, the security team did not threat-model, and the
compliance program did not put in any inventory. The pattern recurs:
Spring Framework’s default-enabled binding behavior created Spring4Shell
in 2022; the Java deserialization era created server-side endpoints
that ORMs and message buses implicitly exposed. Each generation of
framework adds another layer at which a default decision somebody made
years ago becomes the attack surface somebody else inherits today. The
CVSS column rates the bug; the framework-default column does not exist
on the rate sheet. Until it does, the next default-on surface will
read the same way as this one.
What NVD says
CWE-502 — deserialization of untrusted data. CVSS 3.1 base 10.0 Critical, vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The Flight protocol in React's server-rendering packages (`react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack` versions 19.0.0 through 19.2.0) and the App Router endpoint in Next.js (15.0.0–15.5.7, 16.0.0–16.0.6) deserialize attacker-controlled payloads in a way that permits remote code execution without authentication. NVD names the bug class and the affected packages. The record carries no field for the design assumption the deserializer rested on — that the proprietary Flight wire format would only ever be produced by a trusted React client. The score is the same whether the bug is a missed validation step or a structural framework-default trust failure; for an operator the difference determines whether the attack surface was ever explicitly approved by anyone on the team.
What the vendor says
The React team published 'Critical Security Vulnerability in React Server Components' on December 3, 2025 — four days after Lachlan Davidson reported the bug through Meta Bug Bounty. Patched versions are `react-server-dom-*` 19.0.1, 19.1.2, and 19.2.1; Next.js bumped its bundled copies in 15.5.8 and 16.0.7. Vercel published a security bulletin, deployed platform-wide WAF rules in front of hosted apps before public disclosure, and shipped `npx fix-react2shell-next` as a one-command remediation tool that walks workspaces, identifies vulnerable transitive copies, and refreshes lockfiles across npm / yarn / pnpm / bun. The vendor narrative emphasizes the fast disclosure-to-patch turnaround (four days from report) and the tooling quality. It does not name the framework-default question — that every project generated with `create-next-app` since version 13.4 had a publicly reachable Flight endpoint without the developer having to write any Server Function, declare any route, or opt into any server-rendering behavior beyond the App Router default. Microsoft, AWS, Wiz, Datadog, Unit 42, Imperva, and Kaspersky each documented mass exploitation beginning within hours of disclosure; CISA added the CVE to KEV on December 5 with a seven-day federal due date.
Compliance impact
- PCI DSS
- Requirement 12.5.1 of PCI DSS v4.0 requires a documented inventory of in-scope system components, including software and the network functions they expose. Requirement 6.2 requires that custom software be developed securely, with secure coding practices applied to deserialization, input validation, and output handling. A Next.js App Router deployment that backs an e-commerce checkout flow, account-management portal, or any page that handles cardholder data is in PCI scope as a system component. The Flight endpoint that CVE-2025-55182 exploits was implicitly active on every such deployment without appearing in any inventory the team wrote down — there was no explicit Server Function, no route declared, no configuration that named the deserialization surface. A QSA reading the December 5–10 KEV-deadline window against a Next.js storefront will ask for the inventory delta between the pre-disclosure baseline and the patched build, the WAF-rule deployment evidence (Cloudflare, Palo Alto signatures 96779/96780/96787, Azure WAF), and log evidence the Flight endpoint was not exercised during the exposure window.
- SOC 2
- SOC 2 Common Criteria CC8.1 (change management) and CC7.2 (monitoring of system components) expect service organizations to evaluate the security implications of changes to system components and to monitor for events that indicate failures of those controls. The framework-default question CC8.1 leaves uncomfortable in this case is whether the decision to adopt Next.js App Router — typically taken because the framework's documentation recommends it for new projects — was reviewed against the security implications of enabling server-side React rendering with a deserialization surface. For most teams it was not; App Router was the documented default and the security implications were not part of the framework's adoption narrative. A SOC 2 auditor evaluating CC8.1 in the December–April period (with mass exploitation documented by Microsoft, AWS, GreyNoise, and Datadog) will want to see the change-management record for the App Router adoption decision and the monitoring evidence that the Flight endpoint was not exploited prior to remediation. CC6.1's logical-access controls also surface here: the deserialization happened before any application-layer authentication ran, and 'pre-auth' is the property the audit narrative depends on having been understood when the framework was adopted.
Sources
- NVD — CVE-2025-55182
- React.dev — Critical Security Vulnerability in React Server Components
- Vercel — React2Shell Security Bulletin
- Vercel Labs — fix-react2shell-next (GitHub)
- Unit 42 — Exploitation of CVE-2025-55182
- Microsoft Security Blog — Defending against React2Shell
- Wiz — Critical Vulnerability in React
- GreyNoise — Opportunistic Exploitation in the Wild
- CISA Known Exploited Vulnerabilities Catalog
Every source on this list has been read by the editorial team. We do not cite something we have not opened.
Deeper read
Coverage in PatchDay Alert
One email, every weekday morning.
You're in. Check your inbox.