React2Shell RCE Vulnerability: Critical Exploit in React Server Components and Next.js — Patch Immediately

#nextjs #react #security #vulnerabilities

A severe security vulnerability in React Server Components (RSC) has exposed a large number of React and Next.js applications to remote code execution. Both the React team and the Next.js team have released emergency patches.

If your project uses RSC in any capacity, you should treat this as urgent.

What Happened

React disclosed a flaw in the RSC “Flight” protocol caused by unsafe deserialization.

Attackers can send crafted payloads that execute arbitrary code on the server.

Next.js is directly affected because its App Router relies on RSC under the hood.

Independent security researchers have already observed exploitation attempts shortly after disclosure.

Who Is Affected

You are impacted if you use:

React Server Components (any implementation)
Next.js App Router
Any bundler or framework depending on react-server-dom-* packages (Webpack, Turbopack, Parcel, etc.)

Using RSC—even without writing server actions—is enough to be vulnerable.

How to Fix It

React Projects

Upgrade all RSC packages to patched versions:

react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack

Use one of the fixed versions:

19.0.1
19.1.2
19.2.1
or newer

Redeploy your application after updating.

Next.js Projects

The Next.js team provides an automated remediation tool:

npx fix-react2shell-next

Then upgrade to the patched Next.js release listed in their advisory and redeploy.

Additional Recommended Steps

Rotate all secrets and environment variables.
Review logs for suspicious requests or processes.
Run security scans on your deployment if it was online before patching.

Why This Matters

This is a high-impact RCE vulnerability affecting the default behavior of modern React and Next.js applications. Because RSC loads by default in many setups, the effective attack surface is huge.

If you depend on RSC anywhere in your stack, patching is not optional.