Overview
On December 3, 2025, the React and Next.js teams disclosed a critical security vulnerability (CVSS 10.0), identified as React2Shell, affecting applications that leverage React Server Components together with Server Actions or Server Functions.
The React2Shell vulnerability stems from improper validation of client-supplied data within certain server-side React features. An unauthenticated attacker could exploit this flaw by sending specially crafted requests, leading to unexpected server-side behavior. Successful exploitation could result in unauthenticated remote code execution.
This vulnerability requires no authentication and affects a wide range of modern React/Next.js deployments.
- Primary CVE: CVE-2025-55182 (React Core)
- Downstream tracking: CVE-2025-66478 (Next.js)
What Causes the Vulnerability
The affected functionality involves the mechanism React uses to receive and interpret data for server-side features. Certain malformed or intentionally crafted inputs may trigger unsafe processing paths on the server.
The React and Next.js teams have released security updates that strengthen these validation steps and prevent unintended behavior.
Impact
The vulnerability allows unauthenticated remote code execution (RCE) on servers running React Server Components.
Applications using React Server Components are vulnerable even if they do not explicitly define Server Function endpoints.
In effect, a malicious actor can send specially crafted requests to a vulnerable server and, due to insecure deserialization of serialized payloads, trigger unintended server behavior including arbitrary code execution.
As of this advisory, there is no evidence of active exploitation in the wild. However, numerous unauthorized or fake proof-of-concept (POC) exploits have been circulated publicly, which may cause confusion or unintended harm if tested without proper validation.
Affected Versions:
- React: 19.0.0, 19.1.0–19.1.1, 19.2.0
- js (App Router): 15.x ≤ 15.5.6, 16.x ≤ 16.0.6
Patched versions:
- React: 19.0.1, 19.1.2, 19.2.1
- js: 15.5.7+, 16.0.7+, 16.1+
Imperva Proactive Response
Imperva’s Threat Research team initiated an immediate investigation to assess the potential impact on customer environments.
Within hours, we:
- Analyzed the vulnerability and mapped out the most plausible exploitation paths
- Developed and validated virtual patching rules designed to detect and block malicious request patterns associated with the issue
- Rolled out these protections automatically across the entire Imperva Cloud WAF customer base
All protections are already active, require no change from customers, and continue to be monitored and refined as new information becomes available.
Conclusion
This is a significant framework-level security issue affecting widely used technologies. Imperva customers are already protected through our rapid response and proactive security controls. We will continue to track this vulnerability closely and update protections as new information becomes available.
While Imperva protections mitigate known attack vectors, customers should:
- Update React and Next.js to the vendor-provided patched versions
- Review any server-side features that accept data directly from clients
- Continue monitoring vendor advisories for future updates
For further assistance, please contact Imperva Support or your Customer Success representative.
The post Imperva Customers Protected Against React Server Components (RSC) Vulnerability appeared first on Blog.
