React2Shell: Critical Security Vulnerability in Next.js and React – Act Now!
Status at WZ-IT: We have already updated all customer systems under our management to patched versions. With this post, we want to help spread awareness about the urgency of this vulnerability so that as many systems as possible get patched quickly.
On December 3, 2025, one of the most severe security vulnerabilities in recent years was disclosed in the JavaScript ecosystem: CVE-2025-55182, also known as React2Shell. With a CVSS score of 10.0 (maximum), this is a critical Remote Code Execution (RCE) vulnerability affecting millions of web applications.
If you're using Next.js or React Server Components: Stop everything else and patch immediately.
Table of Contents
- What is React2Shell?
- Technical Details
- Affected Versions
- Patched Versions
- Active Exploitation
- Immediate Actions
- Am I Affected?
- WAF Protection Is Not Enough
- Conclusion
- Sources
What is React2Shell?
React2Shell is an Unsafe Deserialization Vulnerability in React Server Components. The vulnerability was discovered by security researcher Lachlan Davidson and reported to the Meta team on November 29, 2025.
The problem lies in the Flight Protocol – the serialization format that React Server Components use for communication between server and client. Due to improper validation of incoming payloads, attackers can execute arbitrary code on the server.
Critical: Standard Next.js applications created with
create-next-appare vulnerable without any code changes.
Technical Details
The vulnerability affects the deserialization logic in React Server Components:
- CVE-2025-55182: The main vulnerability in React Server Components
- CVE-2025-66478: The specific manifestation in Next.js
When a server receives a specially crafted, malformed payload, the structure is not correctly validated. This allows attacker-controlled data to influence server-side execution logic – resulting in the execution of privileged JavaScript code.
Affected packages:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Affected frameworks:
- Next.js (App Router)
- React Router (with RSC)
- Waku
- @parcel/rsc
- @vitejs/plugin-rsc
- rwsdk
Affected Versions
React Server Components
| Affected Version | Patched Version |
|---|---|
| 19.0.0 | 19.0.1 |
| 19.1.0, 19.1.1 | 19.1.2 |
| 19.2.0 | 19.2.1 |
Next.js
| Affected Version | Patched Version |
|---|---|
| 15.0.x | 15.0.5 |
| 15.1.x | 15.1.9 |
| 15.2.x | 15.2.6 |
| 15.3.x | 15.3.6 |
| 15.4.x | 15.4.8 |
| 15.5.x | 15.5.7 |
| 16.0.x | 16.0.7 |
Canary versions:
- Next.js 14 canaries after 14.3.0-canary.76 → Downgrade to 14.3.0-canary.76
- Next.js 15 canaries before 15.6.0-canary.58 → Upgrade to 15.6.0-canary.58
- Next.js 16 canaries before 16.1.0-canary.12 → Upgrade to 16.1.0-canary.12
Patched Versions
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
Active Exploitation
The vulnerability is being actively exploited.
According to the AWS Security Blog, Amazon Threat Intelligence Teams observed active exploitation attempts within hours of disclosure on December 3, 2025, by multiple state-sponsored groups, including:
- Earth Lamia (China-nexus)
- Jackpot Panda (China-nexus)
Wiz Research reports that 39% of all cloud environments contain instances of Next.js or React in vulnerable versions. More than 968,000 servers have been identified as potentially vulnerable.
Since December 5, 2025 at 6:00 UTC, successful compromises have been observed.
Immediate Actions
1. Check Version
# In browser developer tools on a page of your app:
next.version
# Or check package.json
cat package.json | grep next
2. Automatic Patching (Next.js)
Vercel has provided an npm package:
npx fix-react2shell-next
3. Manual Update
# For Next.js 15.5.x
npm install [email protected]
# For Next.js 16.0.x
npm install [email protected]
# Update React
npm install [email protected] [email protected]
4. Redeploy
After updating, you must redeploy your application. A simple server restart is not sufficient.
5. Check Logs
Review your application logs for:
- Unusual POST requests
- Spikes in function timeouts
- Suspicious activity
Am I Affected?
You are affected if:
- ✅ You use Next.js with App Router (versions 15.0.0 - 16.0.6)
- ✅ You use React Server Components in an affected version
- ✅ Your application uses server-side React components
You are NOT affected if:
- ❌ You only use client-side React without a server
- ❌ You don't use a framework/bundler with React Server Components support
- ❌ You use Next.js Pages Router (without App Router)
- ❌ You use Next.js 14.x (stable version) without canary features
Quick Test
Run in the browser console on a page of your app:
next.version
Compare the result with the affected versions above.
WAF Protection Is Not Enough
Vercel, Cloudflare, AWS, Akamai, Fastly, and Google Cloud have deployed WAF rules that block known exploit patterns. However:
WAF rules are only an additional layer of defense. They cannot block all possible variants of an attack. Upgrading to a patched version is the only complete solution.
Since December 5, 2025, Vercel also blocks new deployments of projects with vulnerable Next.js versions.
Conclusion
CVE-2025-55182 (React2Shell) is one of the most critical vulnerabilities ever to hit the JavaScript ecosystem:
- CVSS 10.0 – Maximum Severity
- Remote Code Execution without authentication
- Active exploitation by state actors
- Millions of affected applications
Act now:
- Check your Next.js/React version
- Update to a patched version
- Redeploy your application
- Review your logs for suspicious activity
The good news: Patches are available and the update is straightforward in most cases.
Our Support
Unsure if your systems are affected, or need help patching? WZ-IT can help:
- Rapid security audits of your web infrastructure
- Patch management and deployment support
Sources
- Vercel Blog: Resources for protecting against 'React2Shell'
- React.dev: Critical Security Vulnerability in React Server Components
- AWS Security Blog: China-nexus cyber threat groups rapidly exploit React2Shell vulnerability
- Wiz Blog: Critical RCE Vulnerabilities Discovered in React & Next.js
- Tenable: React2Shell RCE (CVE-2025-55182)
- Datadog Security Labs: CVE-2025-55182 (React2Shell)
- Help Net Security: Max-severity vulnerability in React, Node.js patched
- The Hacker News: Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution
- Rapid7: React2Shell, Critical unauthenticated RCE affecting React Server Components
- react2shell.com
Frequently Asked Questions
Answers to important questions about this topic
React2Shell is a critical security vulnerability (CVSS 10.0) in React Server Components that enables Remote Code Execution on the server. Attackers can execute arbitrary code on affected servers through manipulated payloads.
Affected are React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. Patched versions are 19.0.1, 19.1.2, and 19.2.1.
Affected are Next.js 15.0.0 through 16.0.6. Patched versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7.
Yes, if you use React Server Components or Next.js with App Router in an affected version. Standard create-next-app projects are vulnerable without any code changes.
Yes. Active attacks have been observed since December 5, 2025, including by state-sponsored groups. Immediate patching is mandatory.
Vercel provides an npm package: npx fix-react2shell-next. Alternatively, manually update to a patched version and redeploy.
WAF rules (e.g., from Cloudflare, AWS, Vercel) provide additional protection but cannot block all variants. Upgrading to a patched version is the only complete solution.
No. The vulnerability only affects server-side React components (React Server Components). Pure client-side React applications without server rendering are not affected.
Let's Talk About Your Idea
Whether a specific IT challenge or just an idea – we look forward to the exchange. In a brief conversation, we'll evaluate together if and how your project fits with WZ-IT.
Trusted by leading companies
Timo Wevelsiep & Robin Zins
CEOs of WZ-IT