Dec 3, 2025: Wasabi is aware of the React2Shell vulnerability, also referred to as CVE-2025-66478, and has completed verification that this issue does not affect any Wasabi products or services.
A newly revealed vulnerability impacting a critical 10.00 CVSS remote code execution (RCE) vulnerability was disclosed n React Server Components and Next.js on December 3, 2025, and designated as CVE-2025-66478 with the highest severity rating of 10. The flaw has been dubbed REACT, and affected a large portion of JavaScript applications.
The vulnerability allows an unauthenticated attacker to execute arbitrary code on a server using nothing more than a crafted HTTP request. The React Server Components (RCS) use a serialized transport format – “Flight” – to send structured component data and server function calls between the client and server. The vulnerability is a logic flaw in how React deserializes incoming RSC payloads.
From REACT CVE-2025-66478 detail: “On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0.”.
NIST also released CVE-2025-66478 detail: “A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.”.
Wasabi is aware of the vulnerability and has completed verification that this issue does not affect any Wasabi products or services.
This includes our service itself as well as Wasabi Hot Cloud Storage, Wasabi Account Control Manager, Wasabi Cloud NAS, Wasabi Surveillance Cloud, Wasabi AiR, and Wasabi File Acceleration.
Keeping our customers and their data secure is always our top priority. Wasabi continually tests and monitors our systems for vulnerabilities such as this. We have taken active steps to ensure that no Wasabi customer is exposed to these types of vulnerabilities. At the time of this knowledge base posting, Wasabi has not received any information to indicate that these types of vulnerabilities have been used to attack the Wasabi infrastructure or in any way impact the integrity of customer data stored with the Wasabi service.