Need assistance?

React2Shell (CVE-2025-55182)

1 What's Going On

Two critical vulnerabilities have been identified affecting React Server Components (CVE-2025-55182) and Next.js (CVE-2025-66478). The vulnerabilities affect default configurations of affected applications, leaving standard deployments immediately exposed and significantly widening potential impact.

Security researcher Lachlan Davidson reported the vulnerability to Meta on November 29th, 2025. React and Next.js released patched versions on December 3rd.

Attackers are now actively bypassing WAF mitigations deployed by major vendors by prepending junk data to push payloads past inspection limits.

Timeline
Nov 29
Reported to Meta
Dec 3
Patches released, WAF mitigations deployed
Dec 5
Public POC released
Now
Attackers bypassing WAF rules
Why WAFs Fail

Despite vendors deploying specific rules for this vulnerability, WAFs have inherent limits that attackers quickly find and abuse. They only inspect the first few KB of requests and don't decode all encodings, allowing attackers to exploit inspection limits and encoding tricks to bypass mitigations.

2 How to Fix Your WAF

Most exploitation attempts we're currently observing abuse WAF inspection limits. Attackers prepend junk data to push malicious payloads past the first few KB that WAFs inspect. Our current recommendation is to block requests with the Next-Action header that exceed your WAF's inspection limit. This ensures oversized requests are blocked entirely.

We'll update this page with new bypass techniques and mitigations as the situation evolves.

⚠️ The real fix is patching

Update React to 19.0.1+, 19.1.2+, or 19.2.1+ and Next.js to patched versions.

WAF rules provide defense-in-depth while you patch, but are not a substitute for updating your dependencies and deploying runtime mitigations.

More info about runtime mitigations can be found here.

3 Deploy Rules
📋 Before deploying: These size-based rules may block legitimate Server Actions in your app (e.g., file uploads, large form submissions). Understand which routes use Server Actions and test thoroughly in staging. For large uploads, consider moving them to API routes or signed URL flows.
Cloudflare Managed + Custom
1 Enable the Cloudflare Managed Ruleset. Go to Security → WAF → Managed Rules. Enable the Cloudflare Managed Ruleset with action set to Block (not just Log), as Cloudflare has deployed rules specifically for this vulnerability.
2 Add a custom bypass protection rule. The managed rules can be bypassed by prepending junk data. Pick the rule matching your plan:
Pro / Business (block 8KB+, custom charset, or pattern match)
(http.request.method eq "POST") and (any(http.request.headers.names[*] matches "(?i)(?:next-action|rsc-action-id)")) and ( (http.request.body.size ge 8192) or (http.request.body.raw contains "charset=") or ( (http.request.body.raw contains "status\":") and (http.request.body.raw contains "resolved_model") and (http.request.body.raw contains ":constructor") and (http.request.body.raw contains "_response\":") and (http.request.body.raw contains "_formData\":") ) )
Why these rules? We block custom charsets because Cloudflare doesn't inspect certain encodings that Next.js supports. Cloudflare initially raised WAF inspection limits to 1MB across all plans, but reverted to original sizes (Free: 1MB, Pro/Business: 8KB, Enterprise: 128KB). We recommend paid plan customers contact Cloudflare Support to raise the inspection limit back to 1MB for better protection against bypass attempts.
Enterprise (block 128KB+, custom charset, or pattern match)
(http.request.method eq "POST") and (any(http.request.headers.names[*] matches "(?i)(?:next-action|rsc-action-id)")) and ( (http.request.body.size ge 131072) or (http.request.body.raw contains "charset=") or ( (http.request.body.raw contains "status\":") and (http.request.body.raw contains "resolved_model") and (http.request.body.raw contains ":constructor") and (http.request.body.raw contains "_response\":") and (http.request.body.raw contains "_formData\":") ) )
3 Deploy: Security → WAF → Custom Rules → Create Rule → Action: Block
AWS WAF Managed + Custom
1 Update managed rules: Ensure AWSManagedRulesKnownBadInputsRuleSet is updated to v1.24+.
2 Deploy custom rule with OversizeHandling: In addition to the AWS managed rule, add this custom rule with "OversizeHandling": "MATCH" to catch known bypasses:
{ "Action": { "Block": {} }, "Name": "react2shell", "Priority": 26, "Statement": { "AndStatement": { "Statements": [ { "RegexMatchStatement": { "FieldToMatch": { "Method": {} }, "RegexString": "POST", "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ] } }, { "RegexMatchStatement": { "FieldToMatch": { "Body": { "OversizeHandling": "MATCH" } }, "RegexString": "(?i)resolved_model[\"']|:constructor[\"']|_response[\"']\\s*:|_formData[\"']\\s*:", "TextTransformations": [ { "Priority": 0, "Type": "URL_DECODE_UNI" }, { "Priority": 1, "Type": "JS_DECODE" }, { "Priority": 2, "Type": "UTF8_TO_UNICODE" } ] } }, { "RegexMatchStatement": { "FieldToMatch": { "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", "OversizeHandling": "MATCH" } }, "RegexString": "(?i)(?:next-action|rsc-action-id)", "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ] } } ] } }, "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "react2shell", "SampledRequestsEnabled": true } }
Note: This rule uses OversizeHandling: MATCH to block requests exceeding inspection limits.
Akamai Custom Rule
1 Deploy custom rule: Block requests with RSC headers that exceed 16KB or match exploit patterns.
{ "name": "react2shell", "description": "Block React Server Components exploitation attempts", "conditions": { "all": [ { "type": "requestMethodMatch", "positiveMatch": true, "values": ["POST"] }, { "type": "requestHeaderMatch", "positiveMatch": true, "headerName": "*", "matchOperator": "MATCHES_REGEX", "matchValue": "(?i)(?:next-action|rsc-action-id)", "matchCaseSensitive": false }, { "any": [ { "type": "contentLengthMatch", "positiveMatch": true, "matchOperator": "GREATER_THAN", "matchValue": 16384 }, { "type": "requestBodyMatch", "positiveMatch": true, "matchOperator": "MATCHES_REGEX", "matchValue": "(?i)content-type\\s*:[^\\r\\n]*charset\\s*=", "matchCaseSensitive": false }, { "all": [ { "type": "requestBodyMatch", "positiveMatch": true, "matchOperator": "MATCHES_REGEX", "matchValue": "(?i)status\"\\s*:", "matchCaseSensitive": false }, { "type": "requestBodyMatch", "positiveMatch": true, "matchOperator": "MATCHES_REGEX", "matchValue": "(?i)resolved_model\"", "matchCaseSensitive": false }, { "type": "requestBodyMatch", "positiveMatch": true, "matchOperator": "MATCHES_REGEX", "matchValue": "(?i):constructor", "matchCaseSensitive": false }, { "type": "requestBodyMatch", "positiveMatch": true, "matchOperator": "MATCHES_REGEX", "matchValue": "(?i)_response\"\\s*:", "matchCaseSensitive": false }, { "type": "requestBodyMatch", "positiveMatch": true, "matchOperator": "MATCHES_REGEX", "matchValue": "(?i)_formData\"\\s*:", "matchCaseSensitive": false } ] } ] } ] }, "action": "DENY" }
Note: Akamai's inspection limit means bypasses above 16KB are possible. This rule blocks oversized requests and pattern-matches exploit signatures for requests under the limit. We also block custom charsets as Akamai doesn't inspect certain encodings that Next.js supports.
4 Detections
YARA Rules

Community-contributed YARA rules to detect exploitation attempts, webshell indicators, and PoC payloads related to CVE-2025-55182 and CVE-2025-66478 by Florian Roth.

react_pocs_indicators_dec25.yar Neo23x0/signature-base on GitHub
5 Exploitation in the Wild

Reports and analysis of active exploitation attempts observed in the wild.

China-nexus cyber threat groups rapidly exploit React2Shell AWS Security Blog Dec 4 React2Shell Opportunistic Exploitation In The Wild GreyNoise Dec 5 React2Shell: Remote Code Execution in React Server Components Datadog Security Labs Dec 5