React2Shell: Critical Next.js RCE Vulnerability (CVE-2025-66478)

A critical Remote Code Execution vulnerability has been discovered in Next.js applications using React Server Components (RSC). Dubbed React2Shell, this vulnerability allows attackers to execute arbitrary code on vulnerable servers.

Vulnerability Overview

| Attribute | Details | |-----------|---------| | CVE ID | CVE-2025-66478 | | CVSS Score | 9.8 (Critical) | | Affected Versions | Next.js 13.x - 15.x with RSC | | Attack Vector | Network (No authentication required) |

Technical Analysis

The Root Cause

The vulnerability exists in how Next.js processes Server Actions. When user input is passed to certain server-side functions without proper sanitization, attackers can inject malicious payloads that execute on the server.

Attack Flow

1. Attacker identifies a Next.js application using Server Components
2. Crafts a malicious payload targeting the RSC endpoint
3. Payload bypasses input validation through encoding techniques
4. Server executes attacker-controlled code

Exploitation Example

// Vulnerable Server Action
async function processData(formData) {
  const userInput = formData.get('input');
  // Dangerous: User input reaches eval-like function
  const result = await dangerousOperation(userInput);
  return result;
}

Detection

Signs of exploitation:

• Unusual outbound connections from web servers
• Unexpected child processes spawned by Node.js
• Modified files in application directories
• Anomalous CPU/memory usage patterns

Remediation

1. Immediate: Update to Next.js 15.1.0 or later
2. Short-term: Implement strict input validation on all Server Actions
3. Long-term: Deploy Web Application Firewall (WAF) rules

RaptorX Detection

RaptorX's autonomous agents actively scan for CVE-2025-66478:

• Fingerprints Next.js version and RSC usage
• Tests Server Action endpoints with safe payloads
• Validates patch status
• Provides proof-of-concept evidence for remediation

---

This vulnerability demonstrates why continuous security testing is essential. Applications can become vulnerable overnight as new CVEs are disclosed.

Read full technical analysis →