A Critical Vulnerability in the React Ecosystem
A critical remote code execution (RCE) vulnerability, nicknamed React2Shell and tracked as CVE-2025-6678, has been discovered in React Server Components. This is a high-severity flaw that could allow an attacker to take control of your server.
This post will break down what the vulnerability is, who is affected, and what you need to do immediately to protect your applications.
What is the React2Shell Vulnerability?
The React2Shell vulnerability is a critical security issue that affects applications using React Server Components. It allows an unauthenticated attacker to execute arbitrary code on the server by sending a specially crafted HTTP request.
The vulnerability resides in the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages. The root cause is a deserialization issue in how React Server Components handle data from the client.
Are You Affected?
The vulnerability impacts specific versions of React and frameworks that use React Server Components.
Affected React Versions:
-
react-server-dom-webpack: 19.0, 19.1.0, 19.1.1, 19.2.0 -
react-server-dom-parcel: 19.0, 19.1.0, 19.1.1, 19.2.0 -
react-server-dom-turbopack: 19.0, 19.1.0, 19.1.1, 19.2.0
Affected Frameworks:
- Next.js: Versions 15.0.0 through 16.0.6, and some canary versions of 14.x.
- React Router: Unstable RSC APIs.
- Other frameworks and bundlers: Waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
How to Check Your Application
The community has quickly responded with tools to help you determine if your project is vulnerable.
You can check your project by running the following command in your project's root directory:
npx react2shell-guard
This command will analyze your dependencies and inform you if your project is using an affected version.
How to Fix the Vulnerability
The most critical step is to upgrade your dependencies to the patched versions.
For Next.js Applications
If you are using Next.js, you should upgrade to the latest version of Next.js, which will include the patched version of React. The patched versions for Next.js are:
-
15.0.x:
15.0.5or newer -
15.1.x:
15.1.9or newer -
15.2.x:
15.2.6or newer -
15.3.x:
15.3.6or newer -
15.4.x:
15.4.8or newer -
15.5.x:
15.5.7or newer -
16.0.x:
16.0.7or newer
You can use the fix-react2shell-next tool provided by Vercel to automatically upgrade your dependencies.
Run the following command in your project's root directory:
npx fix-react2shell-next
This will update your package.json to use a patched version of Next.js. After running the command, be sure to install the updated dependencies:
npm install
# or
yarn install
# or
pnpm install
For other frameworks
If you are not using Next.js, you need to manually update your React packages to the patched versions:
-
React 19.0.x: Upgrade to
19.0.1 -
React 19.1.x: Upgrade to
19.1.2 -
React 19.2.x: Upgrade to
19.2.1
Rotate Your Secrets
Because this vulnerability allows for remote code execution, it is crucial that you rotate any secrets and credentials that your application has access to. This includes API keys, database passwords, and any other sensitive information.
Conclusion
The React2Shell vulnerability is a serious threat, but the fix is relatively straightforward. It is essential to act now to protect your applications and your users' data.
- Check your application for the vulnerability using
npx react2shell-guard. - Upgrade your dependencies using
npx fix-react2shell-nextfor Next.js or by manually updating your React packages. - Rotate your secrets.
Stay safe, and keep your applications secure!
Disclaimer: This blog post is based on the information available from the official React and Vercel announcements. Please refer to the official sources for the most up-to-date information.
Top comments (0)