React2Shell Vulnerability: Critical RCE Bug in React Server Components Flight Protocol
By
skilldeliver
Crackles when you bite it. Shows the baker did the work.
Summary
The article discusses React2Shell (CVE-2025-55182), a critical remote code execution vulnerability in React Server Components' Flight protocol. The author shares a personal experience of discovering their server had been compromised and turned into a DDoS node, highlighting the dangerous gap between security awareness and actual patching. The vulnerability stems from unsafe deserialization in RSC payload processing, allowing unauthenticated attackers to execute arbitrary code.
Key quotes
· 5 pulledOn December 9th at 23:20, I got one of those emails you never want to see from your cloud provider.
A harmless little side server had quietly turned into someone else's DDoS node.
That gap between 'security teams know' and 'engineers actually patch' is exactly where we are.
React2Shell (CVE-2025-55182) is a critical, unauthenticated remote code execution bug in React Server Components' 'Flight' protocol.
Under the hood, it's a classic unsafe deserialization problem in how RSC payloads are processed.
You might also wanna read
VS Code Remote-SSH Vulnerability Enables Lateral Movement from Developer Machines to Cloud Servers
A critical vulnerability in Visual Studio Code's Remote-SSH extension creates a post-compromise attack path enabling threat actors to pivot
cybersecuritynews.com·2d ago
Microsoft patches high-severity SharePoint RCE vulnerability CVE-2026-45659
Microsoft has patched a high-severity remote code execution vulnerability (CVE-2026-45659) in SharePoint that affects SharePoint Server Subs
helpnetsecurity.com·4d ago