React2Shell – Vulnerable PoC Stack
This Next.js application intentionally uses vulnerable React Server Components (RSC) and Next.js versions in order to test how well security scanners can detect the related Remote Code Execution (RCE) vulnerabilities.
Affected Vulnerabilities
- CVE-2025-55182 – React Server Components “Flight” protocol unsafe deserialization.
- CVE-2025-66478 – Tracks the downstream impact on Next.js applications using the App Router.
Environment purpose
This container is designed for:
- Testing SCA and container scanners against known-vulnerable React / Next.js RSC versions
- Reproducing detection rules and signatures in a controlled lab
- Exploiting and learning about React2Shell in a controlled environment
Do not expose this container to the public internet, do not use it with real user data, and do not deploy it in production.
Key vulnerable components
- React RSC packages:
react-server-dom-webpack19.0.0 / 19.1.0 / 19.1.1 / 19.2.0react-server-dom-parcel19.0.0 / 19.1.0 / 19.1.1 / 19.2.0react-server-dom-turbopack19.0.0 / 19.1.0 / 19.1.1 / 19.2.0
- Next.js:
- All stable 15.x
- All stable 16.x (prior to patched 16.0.7)
- Canary builds from 14.3.0-canary.77 and above
References
- Snyk / DEV post: Security Advisory: Critical RCE Vulnerabilities in React Server Components & Next.js
- Snyk advisory –
react-server-dom-webpack: SNYK-JS-REACTSERVERDOMWEBPACK-14173285 - Snyk advisory –
react-server-dom-turbopack: SNYK-JS-REACTSERVERDOMTURBOPACK-14173287 - Snyk advisory –
react-server-dom-parcel: SNYK-JS-REACTSERVERDOMPARCEL-14173286 - Snyk advisory – Next.js RSC integration: SNYK-JS-NEXT-14173355
- React blog – Critical Security Vulnerability in React Server Components (CVE-2025-55182): Critical Security Vulnerability in React Server Components
- NVD entry – React RSC RCE (CVE-2025-55182): CVE-2025-55182
- Next.js security advisory – CVE-2025-66478: Security Advisory: CVE-2025-66478
- NVD entry – Next.js RSC impact (CVE-2025-66478): CVE-2025-66478