Need assistance?

React2Shell (CVE-2025-55182)

1 What's Going On

Two critical vulnerabilities have been identified affecting React Server Components (CVE-2025-55182) and Next.js (CVE-2025-66478). The vulnerabilities affect default configurations of affected applications, leaving standard deployments immediately exposed and significantly widening potential impact.

Security researcher Lachlan Davidson reported the vulnerability to Meta on November 29th, 2025. React and Next.js released patched versions on December 3rd.

Attackers are now actively bypassing WAF mitigations deployed by major vendors by prepending junk data to push payloads past inspection limits.

Timeline
Nov 29
Reported to Meta
Dec 3
Patches released, WAF mitigations deployed
Dec 5
Public POC released
Now
Attackers bypassing WAF rules
Why WAFs Fail

WAFs only inspect the first few KB of requests. Attackers prepend junk data to push malicious payloads past inspection limits, bypassing vendor mitigations.

2 How to Fix Your WAF

Most exploitation attempts we're currently observing abuse WAF inspection limits. Attackers prepend junk data to push malicious payloads past the first few KB that WAFs inspect. Our current recommendation is to block requests with the Next-Action header that exceed your WAF's inspection limit—this ensures oversized requests are blocked entirely.

We'll update this page with new bypass techniques and mitigations as the situation evolves.

⚠️ The real fix is patching

Update React to 19.0.1+, 19.1.2+, or 19.2.1+ and Next.js to patched versions.

WAF rules provide defense-in-depth while you patch, but are not a substitute for updating your dependencies and deploying runtime mitigations.

More info about runtime mitigations can be found here.

3 Deploy Rules
📋 Before deploying: These size-based rules may block legitimate Server Actions in your app (e.g., file uploads, large form submissions). Understand which routes use Server Actions and test thoroughly in staging. For large uploads, consider moving them to API routes or signed URL flows.
Cloudflare Managed + Custom
1 Enable the Cloudflare Managed Ruleset. Go to Security → WAF → Managed Rules. Enable the Cloudflare Managed Ruleset with action set to Block (not just Log), as Cloudflare has deployed rules specifically for this vulnerability.
2 Add a custom bypass protection rule. The managed rules can be bypassed by prepending junk data. Pick the rule matching your plan:
Pro / Business (block > 8KB or pattern match)
(http.request.method eq "POST") and (any(http.request.headers.names[*] matches "(?i)(?:next-action|rsc-action-id)")) and ( (http.request.body.size gt 8192) or ( (http.request.body.raw matches "(?i)status\"\\s*:\\s*\"resolved_model\"") and (http.request.body.raw matches "(?i):constructor") and (http.request.body.raw matches "(?i)_response\"\\s*:") and (http.request.body.raw matches "(?i)_formData\"\\s*:") ) )
Enterprise (block > 128KB or pattern match)
(http.request.method eq "POST") and (any(http.request.headers.names[*] matches "(?i)(?:next-action|rsc-action-id)")) and ( (http.request.body.size gt 131072) or ( (http.request.body.raw matches "(?i)status\"\\s*:\\s*\"resolved_model\"") and (http.request.body.raw matches "(?i):constructor") and (http.request.body.raw matches "(?i)_response\"\\s*:") and (http.request.body.raw matches "(?i)_formData\"\\s*:") ) )
3 Deploy: Security → WAF → Custom Rules → Create Rule → Action: Block
Note: This blocks file uploads via Server Actions. For large uploads, use API routes or signed URLs.
Inspection limit update: Cloudflare initially raised the WAF inspection limit to 1MB across all plans, but reverted to original sizes (due to "false positives") (Free: 1MB, Pro/Business: 8KB, Enterprise: 128KB). We recommend paid plan customers contact Cloudflare Support to raise the inspection limit back to 1MB for better protection against bypass attempts.
AWS WAF Managed + Custom
1 Update managed rules: Ensure AWSManagedRulesKnownBadInputsRuleSet is updated to v1.24+.
2 Deploy custom rule with OversizeHandling: Instead of the default AWS rule, use this rule with "OversizeHandling": "MATCH" to catch bypasses:
{ "Action": { "Block": {} }, "Name": "react2shell", "Priority": 26, "Statement": { "AndStatement": { "Statements": [ { "RegexMatchStatement": { "FieldToMatch": { "Method": {} }, "RegexString": "POST", "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ] } }, { "RegexMatchStatement": { "FieldToMatch": { "Body": { "OversizeHandling": "MATCH" } }, "RegexString": "(?i)\"status\"\\s*:\\s*\"resolved_model\"|:constructor|_response\"\\s*:|_formData\"\\s*:", "TextTransformations": [ { "Priority": 0, "Type": "URL_DECODE_UNI" }, { "Priority": 1, "Type": "JS_DECODE" }, { "Priority": 2, "Type": "UTF8_TO_UNICODE" } ] } }, { "RegexMatchStatement": { "FieldToMatch": { "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", "OversizeHandling": "MATCH" } }, "RegexString": "(?i)(?:next-action|rsc-action-id)", "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ] } } ] } }, "VisibilityConfig": { "CloudWatchMetricsEnabled": true, "MetricName": "react2shell", "SampledRequestsEnabled": true } }
Akamai Custom Rule
1 Deploy custom rule: Block requests with RSC headers that exceed 16KB or match exploit patterns.
{ "name": "react2shell", "description": "Block React Server Components exploitation attempts", "conditions": { "all": [ { "type": "requestMethodMatch", "positiveMatch": true, "values": ["POST"] }, { "type": "requestHeaderMatch", "positiveMatch": true, "headerName": "*", "matchOperator": "MATCHES_REGEX", "matchValue": "(?i)(?:next-action|rsc-action-id)", "matchCaseSensitive": false }, { "any": [ { "type": "contentLengthMatch", "positiveMatch": true, "matchOperator": "GREATER_THAN", "matchValue": 16384 }, { "all": [ { "type": "requestBodyMatch", "positiveMatch": true, "matchOperator": "MATCHES_REGEX", "matchValue": "(?i)status\"\\s*:\\s*\"resolved_model\"", "matchCaseSensitive": false }, { "type": "requestBodyMatch", "positiveMatch": true, "matchOperator": "MATCHES_REGEX", "matchValue": "(?i):constructor", "matchCaseSensitive": false }, { "type": "requestBodyMatch", "positiveMatch": true, "matchOperator": "MATCHES_REGEX", "matchValue": "(?i)_response\"\\s*:", "matchCaseSensitive": false }, { "type": "requestBodyMatch", "positiveMatch": true, "matchOperator": "MATCHES_REGEX", "matchValue": "(?i)_formData\"\\s*:", "matchCaseSensitive": false } ] } ] } ] }, "action": "DENY" }
Note: Akamai's inspection limit means bypasses above 16KB are possible. This rule blocks oversized requests and also pattern-matches exploit signatures for requests under the limit.
4 Detections
YARA Rules

Community-contributed YARA rules to detect exploitation attempts, webshell indicators, and PoC payloads related to CVE-2025-55182 and CVE-2025-66478. by Florian Roth

react_pocs_indicators_dec25.yar Neo23x0/signature-base on GitHub
5 Exploitation in the Wild

Reports and analysis of active exploitation attempts observed in the wild.

China-nexus cyber threat groups rapidly exploit React2Shell AWS Security Blog Dec 4 React2Shell Opportunistic Exploitation In The Wild GreyNoise Dec 5 React2Shell: Remote Code Execution in React Server Components Datadog Security Labs Dec 5