Help
FortiNDRCloud
SaaS based NDR solution providing 365 days data retention, along with Technical Success Manager
kcheung
Staff
Staff

Created on ‎01-07-2026 10:33 AM

Article Id 425701

FortiGuard Outbreak Alert: React2Shell Remote Code Execution

Description

A critical remote code execution (RCE) vulnerability exists in React Server Components (RSC) and frameworks using the Flight protocol, including certain vulnerable versions of Next.js.

 

React Server Components let developers render parts of a React app on the server and send a lightweight UI to the browser for faster, efficient web apps.

 

Frameworks using the Flight protocol (such as Next.js) run React components on the server and send only the rendered UI to the browser, reducing the JavaScript the client needs to run.

 

CVE-2025-55182 is a remote code execution (RCE) vulnerability in React Server Components (RSC) which allows unauthenticated attackers to execute arbitrary code on the affected server.

 

The following versions of React Server Components (RSC) are vulnerable to CVE-2025-55182:

  • React 19.0, 19.1.0, 19.1.1, and 19.2.0

CVE-2025-66478 is a remote code execution (RCE) vulnerability in Next.js implementations of React Server Components that allows unauthenticated attackers to execute arbitrary code on the affected server.

 

The following versions of Next.js are vulnerable to CVE-2025-66478:

  • 15.0.0–15.0.4, 15.1.0–15.1.8, 15.2.0–15.2.5, 15.3.0–15.3.5, 15.4.0–15.4.7, 15.5.0–15.5.6, 16.0.0–16.0.6, 14.3.0-canary.77 and later canary releases

Because React and Next.js are widely used in production, organizations should promptly update to patched versions and actively hunt for potential threats.
CVE ID CVE-2025-55182
CVE-2025-66478
NDR Cloud Detection Rule

FortiNDR Cloud v25.4a+

Detection Rule Name

 Category Primary MITRE ID
FortiGuard Outbreak Alert: React Server React2Shell Unauthorized Remote Code Execution - CVE-2025-55182 Attack: Exploitation T1190 - Exploit Public-Facing Application
Playbook N/A
Threat Hunting FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for 'React2Shell Remote Code Execution' related activities.
IOC source: React2Shell | Indicators of Compromise.
All IOCs relating to 'React2Shell Remote Code Execution' have been added to Threat Intelligence Intel.
Suricata Coverage Customers can create custom investigation/detections using the Suricata signatures below:
2066027 -> ET WEB_SPECIFIC_APPS React Server Components React2Shell Unsafe Flight Protocol Property Access (CVE-2025-55182)
2066028 -> ET WEB_SPECIFIC_APPS Vite RSC React2Shell Unsafe Flight Protocol Property Access (CVE-2025-55182)
2066029 -> ET WEB_SPECIFIC_APPS Waku RSC React2Shell Unsafe Flight Protocol Property Access (CVE-2025-55182)
Other Fortinet Products For more details regarding mitigating the vulnerability by utilizing Fortinet products, refer to React2Shell Remote Code Execution.
104
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.