# React2Shell (CVE-2025-55182)

A critical deserialization vulnerability in React Server Components allows remote attackers to execute arbitrary code on servers running Next.js applications with the App Router. The React Flight protocol fails to properly validate serialized component data from HTTP requests, enabling attackers to inject malicious payloads that execute when deserialized. Exploitation requires no authentication and can be triggered with a single HTTP request.