LR pixel

React2Shell Remote Code Execution (RCE) Vulnerabilty

von | 5. Dez. 2025 | Unkategorisiert | 0 Kommentare

What is the Vulnerability?

React2Shell is a critical unauthenticated RCE vulnerability impacting React Server Components (RSC) and frameworks that implement the Flight protocol, including affected versions of Next.js. A remote attacker can send a specially crafted RSC request that triggers server-side deserialization and arbitrary code execution with no user interaction required.

Exploitation enables full server takeover, installation of backdoors, credential harvesting, and lateral movement. Given the widespread adoption of React/Next.js in production environments, organizations should patch immediately, enforce WAF restrictions on RSC endpoints, and conduct proactive hunts for suspicious Node.js process spawning, abnormal RSC requests, or unexpected outbound connections.

Some PoCs circulating may be incomplete/misleading: treat public PoCs cautiously until validated.

What is the recommended Mitigation?

  • React Server-Side Flight Libraries:

    react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (specific vulnerable versions are outlined in the vendor advisories).

  • Frameworks Implementing RSC/Flight:

    Frameworks such as Next.js (notably certain versions within the 15–16 range) and other ecosystem frameworks that embed React Server Components (RSC) or Flight functionality.

  • Organizations should review the vendor advisories for complete version details, mitigation steps, and updated guidance.

What FortiGuard Coverage is available?