Cyber News

Critical Security Vulnerability: React2Shell

December 5, 2025
//
Paige Mullen

This blog post addresses the critical React2Shell vulnerability recently disclosed in React Server Components (RSC), which affects applications built with frameworks like Next.js.

High-Level Summary 

  • Maximum Risk: This isn't a minor bug; it is a critical vulnerability that must be treated as an immediate emergency by any organisation running an affected website.
  • CVSS Score: The vulnerability is at the maximum CVSS severity level (10.0). 
  • User Danger: The flaw gives cyber attackers the ability to run their own hidden code on your users' devices, meaning personal information, passwords, and account access could be stolen or compromised.
  • Affected Sites: The issue is widespread across websites built using the modern React Server Component technology (a feature used by popular development tools like Next.js).
  • Mandatory Fix: Developers must act quickly and apply the specific, recently released security patches to protect their site and its users.

Key Facts

  • What is it? A critical security vulnerability, dubbed React2Shell, affecting applications using React Server Components (RSC).
  • What does it allow? It allows an attacker to inject and execute arbitrary JavaScript code on the client-side, leading to a Cross-Site Scripting (XSS) attack.
  • Which frameworks are impacted? The React 19 frameworks that utilise RSC, most notably Next.js.
  • What is the cause? A flaw in how RSCs serialise and deserialise data, allowing malicious payloads to bypass sanitation mechanisms designed to prevent XSS.
  • What is the fix? Developers must immediately update their React and RSC-using framework dependencies (e.g., Next.js) to the patched versions released by the maintainers.
  • Published CVEs:
    • CVE-2025-55182: Vulnerability affecting server-side use of React.js
    • CVE-2025-66478: Specifically published for the Next.js framework

See the React blog for updated information. 

Affected packages and frameworks 

Impacted packages: 

  • react-server-dom-parcel
  • react-server-dom-turbopack
  • and react-server-dom-webpack

Affected frameworks and bundlers:

  • Next
  • React-router 
  • Waku
  • @parcel/rsc
  • @vitejs/plugin-rsc 
  • Rwsdk 

Understanding React2Shell 

This newly discovered, critical security vulnerability, named React2Shell, has sent ripples through the React development community. This flaw specifically impacts applications that leverage React Server Components (RSC), a feature designed to render components on the server for performance benefits. The issue stems from the mechanism where React translates incoming HTTP requests into server-side function calls—a process known as deserialisation. An unauthenticated attacker can exploit this flaw by sending a specially-crafted, malicious HTTP request to any Server Function endpoint. When the server attempts to process (deserialise) this data, the request is executed, leading to Remote Code Execution (RCE). This allows the attacker to run arbitrary code on the affected server, making immediate patching a necessity. 

Lachlan Davidson, who first discovered the flaw and reported it to React on November 29th, has warned that there are a number of proof-of-concept (PoC) exploits that are not genuine. The researcher is continuing to publish information on react2shell.com

Immediate Patching Instructions

The good news is that the React maintainers and framework teams have acted quickly. Patched versions of React and the affected frameworks (like Next.js) have been released.

Developers must update their dependencies immediately. Simply ensuring your application is running the latest stable version of your framework should secure against this specific exploit. 

Based on the official advisories for CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), here are the immediate patching instructions and the specific safe versions you must upgrade to.

1. React Server Components (RSC) Packages

The vulnerability is in the underlying React Server Components packages. If you are directly managing these dependencies, ensure you upgrade them to the following versions or later:

Vulnerable Package (e.g., react-server-dom-webpack)

19.0.0, 19.1.0, 19.1.1, 19.2.0

Fixed Versions (if you are using the above packages, upgrade to these fixed versions immediately)

19.0.1, 19.1.2, 19.2.1

Action: Run npm update or specifically target the fixed version for your respective major/minor line.

2. Next.js Framework (Using App Router)

Since Next.js bundles the vulnerable React packages (for the App Router), you must update your next dependency to the latest patched version in your current major release line.

npm install next@15.0.5   // for 15.0.x

npm install next@15.1.9   // for 15.1.x

npm install next@15.2.6   // for 15.2.x

npm install next@15.3.6   // for 15.3.x

npm install next@15.4.8   // for 15.4.x

npm install next@15.5.7   // for 15.5.x

npm install next@16.0.7   // for 16.0.x

How ACDS’ Observatory can help your organisation detect whether your applications are vulnerable

Observatory’s enhanced detection techniques can identify whether your applications are vulnerable to the critical React2shell vulnerability. ACDS is currently reaching out to all customers to aid their investigation efforts in order to patch the vulnerabilities as quickly as possible. If you’re worried about your organisation being affected by CVE-2025-55182 and CVE-2025-66478, get in touch with us at info@acdsglobal.com. 

Sources: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://nextjs.org/blog/CVE-2025-66478  

https://react2shell.com/ 

https://nvd.nist.gov/vuln/detail/CVE-2025-55182