DEV Community

Cover image for “React2Shell (CVE‑2025‑55182) and Next.js/Auth0 Migration”
Jramone3
Jramone3

Posted on

“React2Shell (CVE‑2025‑55182) and Next.js/Auth0 Migration”

#nextjs #react #security #auth0

On November 29, 2025, Vercel’s security team, led by Talha Tariq (CISO), disclosed the critical vulnerability CVE‑2025‑55182, nicknamed React2Shell.

This flaw affects React Server Components and Next.js, enabling unauthenticated remote code execution (RCE). Severity is maximum (CVSS 10), and public exploits are already circulating. Vercel blocked vulnerable deployments and urged immediate updates.

🔎 The real challenge for developers

Updating is not always straightforward. In real environments we found:

  • Next.js 16.0.3 → vulnerable.
  • Next.js 13.5.11 → obsolete, broken dependencies.
  • npm conflicts: ERESOLVE unable to resolve dependency tree.
  • Obsolete packages: references to @next/swc@13.5.11 causing 404 errors.
  • Turbopack: experimental, incompatible with Auth0 v4.13.2.
  • Tailwind: utilities in globals.css not supported.
  • Auth0: v3 API deprecated, v4 requires individual routes and migration to proxy.ts.

🛠️ Solution paths

1. Direct update with --legacy-peer-deps 


bash
rm -rf node_modules package-lock.json
npm install next@16.0.7 react@19.0.1 react-dom@19.0.1 --legacy-peer-deps
✔ Fast, keeps current project. ✘ May drag obsolete dependencies.

2. Stay on React 18
bash
npm install next@16.0.7 react@18.3.1 react-dom@18.3.1 --legacy-peer-deps
✔ Fewer conflicts. ✘ Misses React 19 improvements.

3. Clean migration
bash
npx create-next-app@latest safe_project
cd safe_project
npm install next@16.0.7 react@19.0.1 react-dom@19.0.1
✔ Modern, secure environment. ✘ Requires manual code migration.

4. Disable Turbopack, use Webpack
js
// next.config.js
const nextConfig = {
  webpack: (config) => config,
};
module.exports = nextConfig;
✔ Stable with critical libraries. ✘ Loses experimental improvements.

5. Specific adjustments
Tailwind: apply classes directly in JSX/TSX, not in globals.css.

Auth0: use v4 API with individual routes (login.ts, logout.ts, callback.ts, me.ts).

Middleware: migrate from middleware.ts to proxy.ts.

📊 Conclusions
React2Shell is critical and already exploited.

Migration is not trivial: conflicts and obsolete dependencies complicate the process.

Documenting each step is essential for reproducibility and security.

The community needs clear, official migration guides.

📌 Institutional closing
“From REMI‑IA we offer our experience in portable environments and patrimonial demos to provide a humble yet practical solution. We have documented each step and propose viable alternatives so the community can overcome this critical vulnerability.”

 REMI‑IA Team 📧 Contact:
jramonrivasg@gmail.com
jramonrivasg@proton.me
🔗 Link:
X (Twitter): https://x.com/jramone3
Enter fullscreen mode Exit fullscreen mode

Top comments (0)