{"id":226524,"date":"2025-12-05T00:27:26","date_gmt":"2025-12-05T06:27:26","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/12\/critical-react-next-js-flaw-lets-hackers-execute-code-on-servers"},"modified":"2025-12-05T00:27:26","modified_gmt":"2025-12-05T06:27:26","slug":"critical-react-next-js-flaw-lets-hackers-execute-code-on-servers","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/12\/critical-react-next-js-flaw-lets-hackers-execute-code-on-servers","title":{"rendered":"Critical React, Next.js flaw lets hackers execute code on servers"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/critical-react-next-js-flaw-lets-hackers-execute-code-on-servers.jpg\"><\/a><\/p>\n<p>A maximum severity vulnerability, dubbed \u2018React2Shell\u2019, in the React Server Components (RSC) \u2018Flight\u2019 protocol allows remote code execution without authentication in React and Next.js applications.<\/p>\n<p>The security issue stems from insecure deserialization. It received a severity score of 10\/10 and has been assigned the identifiers CVE-2025\u201355182 for React and CVE-2025\u201366478 (CVE rejected in the National Vulnerability Database) for Next.js.<\/p>\n<p>Security researcher <a href=\"https:\/\/www.linkedin.com\/in\/lachlan-s-davidson\/\" target=\"_blank\" rel=\"nofollow noopener\">Lachlan Davidson<\/a> discovered the flaw and reported it to React on November 29. He found that an attacker could achieve remote code execution (RCE) by sending a specially crafted HTTP request to React Server Function endpoints.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A maximum severity vulnerability, dubbed \u2018React2Shell\u2019, in the React Server Components (RSC) \u2018Flight\u2019 protocol allows remote code execution without authentication in React and Next.js applications. The security issue stems from insecure deserialization. It received a severity score of 10\/10 and has been assigned the identifiers CVE-2025\u201355182 for React and CVE-2025\u201366478 (CVE rejected in the National [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1492],"tags":[],"class_list":["post-226524","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/226524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=226524"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/226524\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=226524"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=226524"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=226524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}