A maximum severity vulnerability, dubbed 'react2shell', in the react server components (rsc) 'flight' protocol allows remote code execution without authentication in react and next.js applications. It affects how react decodes payloads sent to react server function (server action) endpoints via the react flight protocol The react team describes it as a flaw that allows: On december 3, 2025, coordinated disclosures revealed that multiple releases of react 19 and next.js contain a critical flaw in the react server components (rsc) “flight” protocol, allowing unauthenticated remote code execution (rce). The vulnerability exists in how react server function/packages process the react server components (rscs) payloads via the “flight” protocol The vulnerability arises during deserialization of these flight payloads.
When exploited, an attacker can execute arbitrary code on the server without authentication
OPEN
