A critical remote code execution (RCE) vulnerability, dubbed ‘React2Shell’, affecting React Server Components (RSC) and Next.js, is allowing unauthenticated attackers to perform server-side code attacks via malicious HTTP requests.

Discovered by Lachlan Davidson, the flaw stems from insecure deserialization in the RSC ‘Flight’ protocol and impacts packages including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Exploitation is highly reliable, even in default deployments, and a single request can compromise the full Node.js process. The flaw is being tracked as CVE-2025-55182. Originally tagged as a CVE for Next.js, NIST subsequently rejected  CVE-2025-66478, as it is a duplicate of CVE-2025-55182.

This blog post includes the critical, immediate actions recommended to secure your environment, new and existing Platform Detection Rules designed to defend against this vulnerability, and information on how SentinelOne Offensive Security Engine, a core component of  the Singularity Cloud Security solution, allows our customers to quickly identify potentially vulnerable workloads.

What is React2Shell? Background & Impact

On December 3, 2025, the React and Next.js teams disclosed two related vulnerabilities in the React Server Components (RSC) Flight protocol: CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), with the latter CVE now marked by NIST as a duplicate.

• React announcement
• Next.js announcement

Both enable unauthenticated RCE, impacting applications that use RSC directly or through popular frameworks such as Next.js. These vulnerabilities are rated critical (CVSS 10.0) because exploitation requires only a crafted HTTP request. No authentication, user action, or developer-added server code is needed for an attacker to gain control of the underlying Node.js process.

The vulnerability exists because RSC payloads are deserialized without proper validation, exposing server functions to attacker-controlled inputs. Since many modern frameworks enable RSC as part of their default build, some teams may be exposed without being aware that server-side RSC logic is active in their environment.

Security testing currently shows:

• Exploitation can succeed with near 100% reliability
• Default configurations are exploitable, including a standard Next.js app created with create-next-app and deployed with no code changes
• Applications may expose RSC endpoints even without custom server functions
• A single malicious request can escalate to full Node.js process compromise

Security researchers warn that cloud environments and server-side applications using default React or Next.js builds are particularly at risk. Exploitation could allow attackers to gain full control over servers, access sensitive data, and compromise application functionality. Reports have already emerged of China-nexus threat groups “racing to weaponize” the flaw.

Available Vendor Mitigations & Immediate Actions

Fixes are available in React 19.0, 19.1.0, 19.1.1, and 19.2.0, and Next.js 5.x, Next.js 16.x, Next.js 14.3.0-canary.77 and later canary releases. Administrators are urged to audit environments and update affected packages immediately.

Companies are advised to review deployments, restrict unnecessary server-side exposure, and monitor logs for anomalous RSC requests. Securing default configurations, validating deserialized input, and maintaining a regular patch management schedule can prevent attackers from exploiting framework-level vulnerabilities in production applications.

1. Update React by installing the patched versions of React as listed above.
2. Update Next.js and other RSC-enabled frameworks as listed above. Ensure the latest framework and bundler releases are installed so they ship the patched React server bundles.
3. Review deployment behavior by checking whether your organization’s workloads expose RSC server function endpoints. These may exist regardless of whether developers added custom server functions.

How SentinelOne Protects Our Customers

Cloud Native Security – Offensive Security Engine

SentinelOne’s Offensive Security Engine (OSE), core component of its Singularity Cloud Security solution, proactively distinguishes between theoretical risks and actual threats by simulating an attacker’s methodology. Rather than relying solely on static scans that flag every potential misconfiguration or vulnerability, this engine automatically conducts safe, harmless simulations against your cloud infrastructure to validate exploitability.

This approach delivers differentiated outcomes by radically reducing alert fatigue and focusing security teams on immediate, confirmed dangers. By providing concrete evidence of exploitability—such as screenshots or code snippets of the successful simulation—it eliminates the need for manual validation and “red teaming” of every alert. Shift from chasing hypothetical vulnerabilities to remediating verified attack vectors, ensuring resources are always deployed against the risks that pose a genuine threat to their environment.

In response to this vulnerability, SentinelOne released a new OSE plugin which can verify exploitability of these vulnerabilities for publicly accessible workloads using a defanged (i.e., harmless) HTTP payload.

Viewing Misconfigurations in the SentinelOne Console

SentinelOne customers can quickly identify potentially vulnerable workloads using the Misconfigurations page in the SentinelOne Console.

This highlights Node.js workloads that are exposing RSC-related server function endpoints. Once identified, affected assets can be patched or temporarily isolated. SentinelOne CNS also detects suspicious Node.js behavior associated with exploitation attempts, providing protection while updates are deployed.

It identifies verified exploitable paths on your publicly exposed assets, confirming which systems are truly at risk. By validating exploitability rather than simply flagging theoretical vulnerabilities, Singularity Cloud Security minimizes noise and provides concrete evidence so security teams can focus on what matters.

Wayfinder Threat Hunting

The Wayfinder Threat Hunting team is proactively hunting for this emerging threat by leveraging comprehensive threat intelligence. This includes, but is not limited to, indicators and tradecraft associated with known active groups such as Earth Lamia and Jackpot Panda.

Our current operational coverage includes:

• Atomic IOC Hunting: We have updated our atomic IOC library to include known infrastructure and indicators from these threat actors, as well as broader intelligence regarding this campaign.
• Behavioral Hunting: We are actively building and executing hunts designed to detect behavioral TTP matches that identify suspicious activity beyond static indicators.

Notification & Response All identified true positive findings will generate alerts within the console for the affected sites. For clients with MDR, the MDR team will actively review these alerts and manage further escalation as required.

Platform Detection Rules

SentinelOne’s products provide a variety of detections for potential malicious follow-on reverse shell behaviors and other actions which may follow this exploit. As of December 5, 2025, SentinelOne released new Platform Detection Rules specifically to detect observed in-the-wild exploit activity. We recommend customers apply the latest detection rule, Potential Exploitation via Insecure Deserialization of React Server Components (RSC), urgently to ensure maximum protection.

Additionally, SentinelOne recommends customers verify the following existing rules have also been enabled:

• Potential Reverse Shell via Shell Processes
• Potential Reverse Shell via Node
• Potential Reverse Shell via Python
• Reverse Shell via Perl Utility
• Potential Reverse Shell via AWK Utility
• Potential Reverse Shell via GDB Utility
• Potential Reverse Shell via Lua Utility
• Potential Reverse Shell via Netcat
• Potential Reverse Shell using Ruby Utility
• Potential Reverse Shell via Socat Utility

Conclusion

CVE-2025-55182 and CVE-2025-66478 represent critical risks within the React Server Components Flight protocol. Because frameworks like Next.js enable RSC by default, many environments may be exposed even without intentional server-side configuration. Updating React, updating dependent frameworks, and verifying whether RSC endpoints exist in your organization’s workloads are essential steps.

Singularity Cloud Security helps organizations reduce risk by identifying vulnerable workloads, flagging misconfigurations, and detecting malicious Node.js behavior linked to RCE exploitation. This provides immediate visibility and defense while patches are applied.

Learn more about SentinelOne’s Cloud Security portfolio here or book a demo with our expert team today.

Third-Party Trademark Disclaimer:

All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.

Are you trying to figure out if you need an RTX 5070, 5080, or 5090? Let me help you decide—don’t let VRAM be a factor in your decision-making process. You really don’t need more than 16GB of VRAM for most use cases, especially gaming.

Half-Life 3, the non-existent sequel to one of the most legendary video game series of all time, has achieved an almost mythical status. It’s been 18 years since Half-Life 2: Episode 2’s cliffhanger ending, without a word from Valve about a follow-up since. However, over the past year, rumors and theories have swirled about Half-Life 3 being announced before the end of the year.

Security defenders are girding themselves in response to the disclosure of a maximum-severity vulnerability disclosed Wednesday in React Server, an open-source package that’s widely used by websites and in cloud environments.

The vulnerability is easy to exploit and allows hackers to execute malicious code on servers that run it. Exploit code is now publicly available.

React is embedded into web apps running on servers so that remote devices render JavaScript and content more quickly and with fewer resources required. React is used by an estimated 6 percent of all websites and 39 percent of cloud environments. When end users reload a page, React allows servers to re-render only parts that have changed, a feature that drastically speeds up performance and lowers the computing resources required by the server.

Read full article

Comments

When it comes to gaming, PC performance falls behind the cutting edge very quickly. A brand-new game can really make it feel like your PC needs an upgrade, but it's not always a new GPU that would make the biggest difference. Some less obvious upgrades can make an even bigger impact.

You're about to see Crucial-branded drives, memory, and other hardware disappear from store shelves. Micron, the company behind Crucial, is leaving the consumer hardware market entirely.

The way hardware ages can be difficult to judge. You may be using a 10-year-old PC and feeling satisfied, or you may be running last-gen hardware and already looking at another expensive GPU to upgrade with—it's all a matter of mindset.

Because SSDs don't use physical storage, it's easy to assume that they don't really suffer from wear and tear. However, you can still digitally run down the lifespan of an SSD if you use certain software utilities with it. If you want to maximize its lifespan, steer clear of these things.

PC builders love installing the latest and shiniest CPUs in their systems. This is generally a good thing, as current-generation chips typically deliver excellent performance at a reasonable cost. And they won’t bottleneck your graphics card in games—unlike some older chips that have aged like fine milk.

MSI just announced the MS-CF20 V2.0, an ATX motherboard intended for industrial settings and other embedded electronics. That unusual market segment calls for an unusual mix of connectivity, including a total of four 2.5G Ethernet ports.

Let's face it: This wasn't the best year to buy a GPU. It's not been quite as bad as 2021, but it was still bad.

If there's one component that gamers spend too much money on, it's the CPU.

Modern PCs can set you back by a considerable amount, so it makes sense to protect your hardware from heat and excessive voltage. Over the past few years, there’s been a noticeable rise in CPU failures linked to overvolting on default motherboard settings. What’s causing this, and is there a way to prevent it?

Do you wish you didn't have to take your PC to computer technicians? I'm regularly opening my PC to replace parts, clean dust out, and check for lose connections, and I can tell you the most important aspect is having the right tools for the job.

If there's one single PC component that's always outrageously expensive, it's Nvidia's RTX 5090 graphics card. It launched at $1,999, but good luck finding it for less than $2,300, and some models hit over $3,000.

If you ask random gamers what price they think Valve will charge for its newly announced Steam Machine hardware, you’ll get a wide range of guesses. But if you ask the analysts who follow the game industry for a living the same question… well, you’ll actually get the same wide range of (somewhat better-informed) guesses.

At the high end of those guesses are analysts like F-Squared‘s Michael Futter, who expects a starting price of $799 to $899 for the entry-level 512GB Steam Machine and a whopping $1,000 to $1,100 for the 2TB version. With internal specs that Futter says “will rival a PS5 and maybe even hit PS5 Pro performance,” we can expect a “hefty price tag” from Valve’s new console-like effort. At the same time, since Valve is “positioning this as a dedicated, powerful gaming PC… I suspect that the price will be below a similarly capable traditional desktop,” Futter said.

DFC Intelligence analyst David Cole similarly expects the Steam Machine to start at a price “around $800” and go up to “around $1,000” for the 2TB model. Cole said he expects Valve will seek “very low margins” or even break-even pricing on the hardware itself, which he said would probably lead to pricing “below a gaming PC but slightly above a high-end console.”

Read full article

Comments

Since RGB software entered the PC market many moons ago, it’s been a disorganized mess. Every company that makes hardware with RGB has its own software to control it. Few of these utilities, if any, can sync with one another. So you might have Corsair RAM, an Asus GPU/motherboard, and an NZXT CPU cooler, all with RGB. Good luck getting any synced-up lighting pattern going between those components.

This fractured RGB software ecosystem has been the bane of bling-loving gamers for years. Additionally, the software is usually unintuitive and crash-y. At least, that’s our experience with utilities from Gigabyte, Asus, MSI, and Corsair. Now Microsoft is stepping into this quagmire with what could be a divine solution: integrating RGB control directly into Windows 11.

News of Microsoft’s plans was revealed in a recent Insider build. It shows a new section named “Lighting” listed under the Personalization area in Settings. Twitter user @albacore posted screenshots showing various RGB devices listed in the menu. They include a mouse, an Asus CPU cooler, a Steam Deck, and a generic keyboard. This still leaves out memory, mousepads, and GPUs, but it does seem to include all RGB devices connected to the system. This isn’t the case with most current RGB software, which usually only shows devices from the software manufacturer.

(Image: @albacore on Twitter)

A second panel allows you to tweak each device’s lighting. The options are limited; instead of getting about a dozen presets to choose from, there’s just a handful. The lighting effects seem limited to a solid color, blinking, or a rainbow. That’s quite pedestrian, at least compared with our personal experience using Corsair iCue. This software presents myriad options and also allows you to download custom profiles.

(Image: @albacore on Twitter)

What’s interesting is the source also posted a link to a request made by a Microsoft employee to create this in 2018. The technical paper clearly states the problem: a wide range of devices have “lamps” with no universal location to control them. According to OP, it was thought that work on this feature was cancelled, which apparently isn’t the case. It now appears in Insider Build 25295, even though Microsoft didn’t mention it in the release notes.

Even the most jaded Windows user would welcome this addition to Windows. In fact, this feature alone could be enough to convince people to “upgrade” to Windows 11, in our opinion. It’s been such a long-running national nightmare that a lot of users have given up on the dream of ever unifying all of their RGB lighting. There are alternatives like OpenRGB, but it’s not easy to use in our experience. Plus, in addition to making it easier to control lighting, you’d no longer have to install four or more separate utilities to change the lighting on something. If you’re reading this, Microsoft, please bring this to the masses as soon as possible.

Now read:

• Microsoft Is Planning a Modern Redesign of File Explorer for Windows 11
• Microsoft Testing PC Game Pass Widget for Windows 11
• Windows 11 Collects an Awful Lot of Telemetry About Your PC