FIND-20260324-016 · 2026-03-24 · Innovation Veille
React2Shell CVE-2025-55182 (CVSS 10.0) — RCE in React Server Components and Next.js, hakluke releases exploit lab
cve
HIGH
CVE-2025-55182, dubbed React2Shell, is a CVSS 10.0 unauthenticated remote code execution vulnerability in React Server Components (RSC) via insecure deserialization of the RSC Flight protocol. A single crafted POST request grants arbitrary Node.js code execution with no authentication required. Security researcher hakluke (@hakluke on X) shared a hands-on exploit lab (react2shell-lab on GitHub) built on Next.js, demonstrating real-world exploitation chains. Affected: react-server-dom 19.0.0–19.2.0, Next.js App Router 14.3.0-canary.77 through 16.0.6. RondoDox botnet and multiple APT clusters are actively exploiting in the wild.
Source
https://x.com/hakluke/status/2036111369469108646?s=46
ODS Impact
CRITICAL for ODS Dashboard (Next.js App Router) and any future ODS frontend services using Next.js 15/16 with React Server Components. ODS Dashboard must be audited immediately: check package.json for react-server-dom version and Next.js version. Patch to react-server-dom 19.0.1/19.1.2/19.2.1 and Next.js 15.2.6+/16.0.7+. The ODS API Gateway (Traefik) does not mitigate this — it passes RSC POST requests through. All Actix-web Rust backends are unaffected (Rust is not Node.js). The react2shell-lab repo by hakluke is a useful red-team resource for verifying ODS Dashboard exposure in staging before patching.
Security Review
License: N/A (CVE advisory) | Maintenance: ACTIVE | Risk: HIGH | Recommendation: DO_NOT_USE
Tags
cve
rce
react
nextjs
server-components
deserialization
critical
owasp
nodejs
ods-dashboard
patch-required
hakluke
exploit-lab
react2shell