Mohammad Qasemi

Blog

  • Security disaster in React and Next.js: How a simple bug left millions of servers defenseless against attackers

    Security disaster in React and Next.js: How a simple bug left millions of servers defenseless against attackers

    In recent years, the rapid growth of front-end frameworks and the shift of a significant portion of application logic toward hybrid server–client architectures have expanded the attack surface more than ever before. Today, the web is no longer just a medium for displaying data; it is a complex computational layer where any flaw can lead to serious consequences for businesses, cloud infrastructures, and even national security.

    In such an environment, the emergence of a serious vulnerability at the core of the world’s most popular libraries such as React and frameworks like Next.js shows just how sensitive and fragile the software supply chain truly is. A bug that may initially appear to be a minor technical issue limited to a small part of the stack can, in practice, become a pathway for remote code execution, server breaches, and the exposure of data belonging to millions of users.

    The introduction of this article aims to clearly outline the state of security in the modern web ecosystem and explain why incidents like “React2Shell” are not merely passing warnings, but signs of the urgent need to rethink how we design, use, and configure the technologies on which the future of the web is being built.

    What is React2Shell? A brief introduction to the vulnerability and why it matters

    React2Shell is the name the security community has adopted to refer to a set of critical vulnerabilities in React Server Components flaws that allow an attacker to execute arbitrary code on the server without needing authentication. The issue originates from the component responsible for processing and reinterpreting the data exchanged between the server and the client. In vulnerable versions, incoming data is not properly validated or isolated before use, creating an opportunity for code injection and execution.

    The importance of this vulnerability is notable from several angles. First, React and frameworks built on top of it such as Next.js are used extensively on a global scale, meaning any flaw at this level exposes a vast range of services to serious risk. Second, this bug is not limited to applications that explicitly rely on advanced RSC features; the mere presence of vulnerable packages in the project’s dependency chain is enough to activate the attack surface. Third, the nature of this flaw allows attackers to launch remote, unauthenticated attacks drastically increasing both the speed of exploitation and potential damage.

    Because of these characteristics, React2Shell is not an ordinary bug but an example of a foundational vulnerability capable of affecting a wide ecosystem of tools, services, and web applications. It illustrates that in modern architectures, increased complexity does not necessarily mean increased security and even a seemingly minor issue in an overlooked layer can escalate into a major crisis.

    Root Cause: The Critical Flaw in React Server Components (RSC)

    The root of the React2Shell vulnerability lies in the way data is implemented and managed within React Server Components a feature intended to make the boundary between server and client logic clearer and more efficient, but which in practice became a sensitive and vulnerable point. RSC uses a structure known as the Flight protocol to transfer data between the server and the browser. In vulnerable versions, this protocol does not perform sufficient validation or isolation when “re-reading” incoming data from the client, and this weakness allows an attacker’s manipulated inputs to be processed as legitimate data.

    At its core, the issue is a flaw in the deserialization process the stage where raw data is converted into a usable object or function. While this step may appear to be a purely internal technical process, in vulnerable versions of RSC it enables attackers to craft a data payload that ultimately results in code execution on the server. Because Server Components inherently operate on the server, this attack path grants direct access to the server layer, not merely the user interface or client layer.

    What makes this even more critical is that RSC is inherently complex, with parts of it having been developed experimentally and still evolving. This complexity combined with the absence of strict security controls created a situation where a flaw in such a foundational layer could impact millions of projects. The root of this bug highlights a broader lesson: even features designed to improve performance and scalability can become serious points of failure when they evolve without a security-first architectural mindset.

    How Next.js Was Affected: Examining the CVE-2025-66478 Vulnerability

    Next.js, as one of the most popular React-based frameworks, particularly in implementing the App Router architecture and React Server Components, was directly affected by the CVE-2025-66478 vulnerability. This flaw occurs during the deserialization of input data to Server Functions, where client inputs are processed without sufficient validation, enabling attackers to execute arbitrary code on the server.

    In vulnerable versions of Next.js, advanced features such as server-side rendering (SSR) and RSC designed to improve performance and reduce response times unintentionally expose a wide level of access to the server layer. An attacker can send a manipulated payload to gain limited but dangerous control over the server, potentially exposing sensitive information, tokens, or even database data.

    From a security perspective, this issue is particularly significant because over 39% of cloud environments and Next.js projects may be affected, especially those using default RSC and App Router settings. Moreover, the combination of this vulnerability with Next.js’s automated deployment and caching capabilities can accelerate attack propagation, simultaneously threatening both development and production environments.

    As a result, addressing CVE-2025-66478 not only requires updating vulnerable packages and dependencies but also calls for a thorough review of architecture and validation processes in Server Components to prevent similar threats in the future.

    Why Is This Bug So Dangerous? From Remote Code Execution to Authentication Free Intrusion

    The danger of the React2Shell vulnerability goes far beyond a simple technical flaw; the issue is that this weakness effectively erases the boundary between the user and the server. In many web attacks, an attacker typically needs authentication, initial access, or a chain of multiple vulnerabilities to break in. But in this case, the flaw appears in a layer that directly interacts with server‑side data processing. This means that even a minimally manipulated input can lead to the execution of malicious code on the server.

    The first reason this bug is so dangerous is its potential for remote code execution (RCE) without any form of authentication. With just a crafted payload, an attacker can take control of internal server processes. This level of access can lead to exposure of sensitive information, modification or deletion of data, insertion of backdoors, and even lateral movement to other services.

    The second major factor is the enormous ecosystem affected. React and Next.js are used in millions of projects, cloud services, SaaS products, and internal company systems. Since RSC is part of the default architecture in many newer versions, the mere presence of vulnerable packages in a project’s dependency chain is enough for attackers to exploit it even if the developer is not explicitly using RSC features.

    Third, the automated and network‑based nature of this attack enables widespread exploitation. Malicious bots and scanners can target thousands of sites within minutes and test the vulnerability with a single request. Reports indicate that organized groups and state‑affiliated actors have also rapidly exploited this bug, significantly amplifying the severity of the threat.

    Ultimately, the core danger of this vulnerability is that the attacker needs no user interaction, no initial foothold, and no bypass of typical firewalls. A flaw deep in the architecture allows the attack to be carried out with minimal effort and maximum impact a combination that turns a “technical issue” into a “security crisis.”

    Scope of Impact: Which Versions and Projects Are at Risk?

    The scope of React2Shell’s impact is extensive, affecting nearly all projects using vulnerable versions of React Server Components. Specifically affected versions include React 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as associated packages such as react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.

    From the Next.js perspective, versions 15.x and 16.x with App Router and RSC enabled are also considered vulnerable. Even projects that do not directly use Server Components may be at risk through dependencies on these packages, since many React-related libraries and tools include vulnerable packages in their dependency chains.

    In other words, the impact is not limited to small or experimental projects; commercial websites, cloud services, and large enterprise applications are all potentially at risk if they use vulnerable versions. This broad exposure, combined with the ability to exploit the vulnerability without authentication, has made React2Shell one of the most dangerous web vulnerabilities in recent times.

    Attack Wave: From Organized Threat Groups to Automated Bot Scans

    With the disclosure of the React2Shell vulnerability, attacks against vulnerable projects are rapidly spreading. Organized threat groups and cyber actors with substantial resources—including some affiliated with state-backed entities—have quickly begun exploiting this bug to gain control over vulnerable servers. These attacks typically involve sending complex payloads to execute remote code and exfiltrate sensitive data.

    In addition, the bot and automated script community has started scanning millions of websites to identify vulnerable versions. These bots can automatically detect React and Next.js servers and inject malicious payloads, even without authentication or prior server access. The combination of organized threat activity and automated scanning has caused this vulnerability to quickly become widespread globally, posing a serious threat to cloud projects, SaaS services, and large websites.

    Due to this attack wave, developers and system administrators must immediately update vulnerable packages and implement temporary security measures, such as restricting access to Server Functions and using a Web Application Firewall (WAF), to prevent widespread exploitation.

    Immediate Actions: How to Secure React and Next.js Projects

    Immediate Actions to Secure React and Next.js Projects Against React2Shell

    Protecting React and Next.js projects from the React2Shell vulnerability involves several critical steps that should be implemented simultaneously:

    1. Update Packages to Secure Versions
      • React: Upgrade to versions 19.0.1, 19.1.2, or 19.2.1, where the vulnerability has been fixed.
      • Server Components packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack should be updated to the latest secure versions.
      • Next.js: Upgrade to versions beyond 15.x and 16.x that include the patch for CVE-2025-66478.
    2. Review and Restrict Server Functions
      • Audit all points where Server Components receive input from the client, and apply strict validation and restrictions.
      • Disable or limit RSC and App Router in environments where immediate upgrades are not possible.
    3. Implement Temporary Security Measures
      • Deploy a Web Application Firewall (WAF) to block suspicious payloads.
      • Restrict network access to RSC servers and Server Functions, especially from unknown sources.
    4. Audit Dependencies and Software Supply Chain
      • Ensure no secondary packages that use RSC are included in the project.
      • Use automated scanning tools to identify vulnerable libraries.
    5. Monitoring and Rapid Response
      • Enable logging and monitoring for all requests to Server Functions to detect attack attempts.
      • Be prepared to respond quickly to suspicious activity, including IP blocking and quarantining affected services.

    These immediate actions can prevent exploitation by attackers and provide the necessary time to implement structural and architectural security improvements across projects.

    Summary: The Future of RSC and Lessons Learned from This Crisis

    Summary and Lessons Learned from the React2Shell Crisis

    The React2Shell crisis highlights the critical need to balance rapid development with robust security in modern web projects:

    1. Security Must Be Built In from the Start
      React Server Components were designed to optimize performance and user experience, but the lack of strict security controls turned a design flaw into a remote code execution vulnerability. This serves as a reminder that every new technology, even those aimed at performance improvements, must be developed with security-first architecture from the outset.
    2. Continuous Updates and Dependency Management Are Essential
      The React2Shell crisis showed that even projects not directly using Server Components can be at risk due to dependencies. Careful dependency management and regular package updates are critical.
    3. Multi-Layered Defensive Measures Are Necessary
      Using WAFs, input validation, access restrictions, and continuous monitoring each provide a layer of protection, helping to prevent the spread of attacks.
    4. RSC and the Future of Server-Driven Web
      This crisis provides an opportunity to rethink RSC design. Developers and security teams must enforce security standards alongside performance improvements, ensuring that future versions of Server Components are both secure and stable.
    5. Preparedness for Rapid Response
      Another key lesson is that organizations must have protocols ready to respond to new vulnerabilities and threats, allowing them to secure projects immediately when critical flaws emerge.

    Ultimately, React2Shell demonstrated that rapid development and innovation without built-in security can lead to a global-scale crisis. However, with secure design, continuous updates, and multi-layered defenses, it is possible to achieve both innovation and protection for projects.

    References Used in This Article

    1. React Official Blog: Critical Security Vulnerability in React Server Components
    2. Wallarm Labs: Exploitation of Remote Code Execution Vulnerability in React Server Components
    3. The Hacker News: Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution
    4. SC Magazine: React2Shell bug exploited by China-linked groups, fix briefly disrupts Cloudflare
    5. Cybersecurity Dive: Critical vulnerabilities found in React and Next.js
    6. Unit42 Palo Alto Networks: CVE-2025-55182 and CVE-2025-66478 Analysis
    7. Next.js Official Blog: Security Patch CVE-2025-66478
    8. Cybernews: Chinese hackers exploiting React2Shell vulnerability impacting countless websites
    9. Wiz.io Blog: Critical RCE Vulnerabilities Discovered in React & Next.js

    These sources include official announcements, specialized security analyses, and active attack reports, and they formed the basis for all sections of this article.

    This article’s content and its English translation were generated with the assistance of AI.