virus logo Intrusion Prevention

React.Server.Components.react-flight.Remote.Code.Execution

description-logoDescription

This indicates an attack attempt to exploit an Remote Code Execution Vulnerability in React Server Components.
The vulnerability is due to insufficient sanitizing of user supplied inputs in the application. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could lead to remote code execution.

description-logoOutbreak Alert

React2Shell is a critical unauthenticated remote code execution (RCE) vulnerability affecting React Server Components (RSC) and frameworks that implement the Flight protocol, including specific vulnerable versions of Next.js. A remote attacker can craft a malicious RSC request that triggers server-side deserialization, leading to arbitrary code execution without authentication or user interaction.

View the full Outbreak Alert Report

This report provides an overview of ongoing Iran-linked cyber operations, highlighting activity attributed to state-aligned proxies and hacktivist groups. The vulnerabilities listed are suspected to be exploited by actors associated with Iran in real-world campaigns, consistent with observed tactics, techniques, and procedures (TTPs). Iran-linked operations continue to rely on distributed, lower-complexity techniques, including phishing, DDoS, data exfiltration, and destructive attacks. Initial access is primarily achieved through exploitation of known, unpatched vulnerabilities and exposed edge infrastructure, reflecting a persistent and opportunistic threat posture targeting government, critical infrastructure, and enterprise environments.

View the full Outbreak Alert Report

affected-products-logoAffected Products

React Server Component react-server-dom-webpack 19.0, 19.1.0, 19.1.1, and 19.2.0
React Server Component react-server-dom-parcel 19.0, 19.1.0, 19.1.1, and 19.2.0
React Server Component react-server-dom-turbopack 19.0, 19.1.0, 19.1.1, and 19.2.0

Impact logoImpact

System Compromise: Remote attackers can gain control of vulnerable systems.

recomended-action-logoRecommended Actions

Apply the most recent upgrade or patch from the vendor:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Coverage

IPS (Regular DB)
IPS (Extended DB)

Version Updates

Date Version Status Detail
2026-02-05 35.164
Modified
 Sig Added
2025-12-11 35.133
Modified
 Default_action:pass:drop
2025-12-09 35.131
Modified
 Sig Added
2025-12-09 35.130
Modified
 Sig Added
2025-12-08 35.129
New
ID 59644
Created Dec 05, 2025
Updated Mar 11, 2026
CVE ID
Tags React2Shell RCE Iran-linked Cyber Attacks Threat Signal
Risk black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon
Known Exploited Yes
Exploit Prediction Score 86.19%
Default Action drop
Active
Affected OS Windows, Linux, MacOS
Affected App Other
Profile Type Permission/Privilege/Access Control