Table of Contents
Is My Next.js Application Vulnerable to the React Server Components Exploit Attack?
A severe security flaw in React Server Components (CVE-2025-55182) has achieved the maximum CVSS severity score of 10.0, enabling attackers to execute remote code without authentication. Since security researchers at WIZ disclosed this vulnerability on December 3, 2025, widespread exploitation has begun, with attack campaigns intensifying after proof-of-concept code became publicly available.
Understanding the React2Shell Vulnerability
React Server Components, part of the popular JavaScript library used for building web interfaces, contains a critical weakness that permits unauthorized remote code execution. The React development team acknowledged this security issue in their official communication titled “Critical Security Vulnerability in React Server Components.”
The vulnerability affects applications built with Next.js and React Server Components. While Censys identified approximately 2.15 million web-accessible instances using these technologies, not all deployments are vulnerable—many providers have implemented protective measures for their hosted applications.
Current Threat Landscape
Attack activity began on December 4, 2025, when AWS documented targeted exploitation attempts. By December 5, 2025 at 6:00 AM UTC, WIZ sensors detected multiple compromised victims, with attackers primarily focusing on internet-facing Next.js applications and Kubernetes containers.
The Shadowserver Foundation and security researchers have confirmed ongoing attack campaigns. Bleeping Computer’s investigation reveals that 30 organizations have suffered successful breaches, with approximately 77,000 IP addresses remaining vulnerable globally. German networks show 216 potentially exposed IP addresses.
Available Tools and Resources
Security teams can access several resources to assess their exposure. A Python-based React2Shell scanner exists on GitHub, though it requires isolated execution environments. SearchLight Cyber has published technical analysis detailing the vulnerability’s mechanics. However, exercise caution—some proof-of-concept projects contain errors, and certain scanners distributed online have been found to include malicious code.
An unusual development has emerged where an unidentified actor is proactively patching vulnerable websites and leaving warning messages, including sites belonging to institutions like the Technical University of Munich.
Immediate Action Steps
Organizations running React Server Components or Next.js applications should verify their patch status immediately. Contact your hosting provider to confirm whether protective measures are in place. Review server logs for suspicious activity patterns starting from December 4, 2025. Isolate any potentially compromised systems and conduct thorough security assessments before restoring services.