In early December 2025, the web-development community was rattled by the public disclosure of a critical vulnerability in React — known as React2Shell (CVE-2025-55182) — that affects React Server Components (RSC), as well as frameworks built on top of React (such as Next.js). The revelation was announced by Vercel.
🔍 What is React2Shell?
- React2Shell is a deserialization vulnerability in React Server Components: under certain conditions, a specially crafted payload can lead to unauthenticated remote code execution (RCE) on a server.
- It affects React 19.x (and related packages:
react-server-dom-webpack,react-server-dom-parcel,react-server-dom-turbopack) when used with server-side rendering or “Server Components.” It also affects Next.js versions between 15.0.0 and 16.0.6 (as well as certain canary builds) when the “App Router / RSC” feature is used. - The issue arises even if your application doesn’t explicitly define server-functions: simply supporting React Server Components may be enough to be vulnerable.
⚠️ Why This Vulnerability is Critical
- React2Shell has been assigned a CVSS score of 10.0 — the highest possible severity.
- It allows unauthenticated attackers (i.e. attackers who don’t need valid credentials or prior access) to send malicious requests to a vulnerable server and potentially execute arbitrary code — including installing backdoors, mining cryptocurrencies, or exfiltrating data.
- Within hours of public disclosure, the vulnerability was observed being probed and targeted by cyber-threat actors — including state-linked groups.
- Because React and Next.js power a huge number of websites (from personal blogs to enterprise platforms), the exposure is massive. Even a single unpatched endpoint can serve as a stepping stone for attackers.
Many security analysts now compare React2Shell to the infamous Log4Shell vulnerability of 2021, in terms of potential widespread impact.
✅ What Has Been Done — and Why It’s Still Not Enough
- The React team and framework maintainers have released patched versions: React RSC packages have updates (≥ 19.0.1 / 19.1.2 / 19.2.1), and Next.js versions have also been updated (e.g. 15.0.5+, 16.0.7, etc.) to eliminate the vulnerability.
- The Vercel platform has also rolled out temporary mitigations: Web Application Firewall (WAF) rules that aim to filter known exploit patterns, and deployment-protection features for preview/staging environments.
- Still — WAF rules and other mitigations cannot guarantee complete protection against all variants of the exploit. The only full and reliable fix is upgrading to the patched versions.
🔧 What You Should Do Right Now
- Check your project’s dependencies — especially if you use React 19.x or Next.js between 15.0.0 and 16.0.6. Also check related packages:
react-server-dom-webpack,react-server-dom-parcel,react-server-dom-turbopack. - f you find vulnerable versions, update immediately:
- For React RSC packages — upgrade to 19.0.1, 19.1.2 or 19.2.1 (whichever applies). Vercel Community+1
- For Next.js — upgrade to the patched release (15.x → 15.0.5+, 15.1.9, …; 16.x → 16.0.7).
- If using Vercel Agent or hosting on Vercel — take advantage of the automated patching / pull-request flow.
- Rotate sensitive secrets (API keys, environment variables, tokens) especially if your deployment was online and unpatched as of the public disclosure date (Dec 4, 2025).
- Audit server logs for unusual behavior (unexpected POST requests, unusual server-side execution, spikes in resource usage, etc.) — this is important even after patching.
🛡️ Why You Should Care — Even If You’re Just Running a Small Site
t’s easy to think “this affects big companies — not me”. But many smaller websites use React / Next.js — and may rely on default deployment setups. Because React2Shell requires no authentication, any public-facing installation with vulnerable versions becomes a target.
Even personal blogs, portfolios, or small web apps — once vulnerable — can be turned into entry points for attackers to upload malware, mine cryptocurrencies, or pivot further into your infrastructure. If your site handles sensitive data (user info, tokens, credentials), the risks are even higher.
Therefore, updating is not optional — it’s urgent.
If you use tools or build modern web apps with React / Next.js — this is a wake-up call. Please treat it as critical maintenance.
Read more in the official bulletin from Vercel (linked below).
Reference:
https://vercel.com/kb/bulletin/react2shell
That’s it for now.
If you liked this article, then please subscribe to my YouTube Channel for video tutorials.
