Critical vulnerability in React and Next.js (CVE-2025-55182)

Estimated reading time: 8 minutes

React2Shell: The vulnerability that is shaking the JavaScript ecosystem

On December 3, 2025, the React and Meta team disclosed a critical vulnerability that could well be one of the most serious in recent web development history. CVE-2025-55182This vulnerability, dubbed React2Shell by the cybersecurity community, allows an unauthenticated attacker to execute arbitrary code on servers using React Server Components. To be clear: we’re talking about a CVSS score of 10.0, the absolute maximum.

I’ve analyzed this vulnerability in detail, and the implications are massive. According to Wiz data, 39% of cloud environments contain vulnerable instances. If you’re using Next.js 15 or 16 in production, you’re affected. In practice, a single malformed HTTP request is enough to compromise your application.

Attention : This vulnerability affects default configurations. A Next.js application created with create-next-app and deployed without modification is immediately vulnerable. No special configuration is required for exploitation.

Understanding the vulnerability: insecure deserialization in the Flight protocol

The core of the problem lies in the Flight protocol of React Server Components. This protocol serializes component trees, function references, and arguments for transmission between the server and the client. In practice, the current implementation trusts incoming payloads without sufficient validation.

Here’s what’s happening technically:

1. The server receives an RSC request The Flight protocol expects structured data representing React components.
2. Deserialization without validation The requireModule function uses bracket notation without hasOwnProperty checking, allowing traversal of the prototype chain.
3. Access to dangerous modules An attacker can thus gain access to critical Node.js modules such as vm, child_process, or fs
4. Code execution The malicious payload executes with server privileges.

Wiz researchers have developed a working proof of concept with a near 100% success rate. The real game-changer is that the exploit requires no prior authentication.

Who is affected? Complete mapping of vulnerable versions

React: affected versions

The following packages are vulnerable in React 19.0, 19.1.0, 19.1.1 and 19.2.0:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Corrected versions: 19.0.1, 19.1.2 and 19.2.1

Next.js: affected versions

The vulnerability affects Next.js via CVE-2025-66478, which inherits the same underlying issue. The concrete result: all applications using the App Router in the following versions are vulnerable:

• Next.js 15.x (all versions)
• Next.js 16.x (versions prior to 16.0.7)
• Next.js 14.3.0-canary.77 and later canary versions

Important : Next.js 13.x, Next.js 14.x stable, the Pages Router and the Edge Runtime are NOT affected.

Next.js branch	Corrected version
15.0.x	15.0.5
15.1.x	15.1.9
15.2.x	15.2.6
15.3.x	15.3.6
15.4.x	15.4.8
15.5.x	15.5.7
16.0.x	16.0.7

Other frameworks impacted

Any framework or plugin integrating react-server packages is potentially vulnerable:

• React Router (RSC preview mode)
• Waku
• @vitejs/plugin-rsc
• @parcel/rsc
• RedwoodSDK (rwsdk)

Immediate patch: update procedure

Let’s be realistic: there are no configuration options to disable the vulnerable code. The only solution is to immediately update to a patched version.

For Next.js projects

Identify your current branch and install the corresponding patched version:

# For Next.js 15.0.x
npm install next@15.0.5

# For Next.js 15.1.x
npm install next@15.1.9

# For Next.js 15.2.x
npm install next@15.2.6

# For Next.js 15.3.x
npm install next@15.3.6

# For Next.js 15.4.x
npm install next@15.4.8

# For Next.js 15.5.x
npm install next@15.5.7

# For Next.js 16.0.x
npm install next@16.0.7

Special case: If you are on Next.js 14.3.0-canary.77 or a later canary version, downgrade to the latest stable version 14.x:

npm install next@14

For standalone React projects

Update to a fixed version of React:

# React 19.0.x
npm install react@19.0.1 react-dom@19.0.1

# React 19.1.x
npm install react@19.1.2 react-dom@19.1.2

# React 19.2.x
npm install react@19.2.1 react-dom@19.2.1

Best Practice: After installation, completely rebuild your application and redeploy immediately. For monorepo or microservices architectures, verify that ALL services using RSC are up to date.

Temporary protections: WAF and mitigations

If an immediate update is not possible, several providers have deployed automatic WAF protections:

Cloudflare

Automatic deployment of the “React – RCE – CVE-2025-55182” rule on December 2nd at 5 PM GMT. All customers (free and paid plans) are protected if their React traffic passes through the Cloudflare WAF.

Vercel

Automatic protection is deployed across the entire platform. No action is required for clients hosted on Vercel, but updating is still strongly recommended.

Google Cloud Armor

Pre-configured WAF rule available via cve-canary. Required configuration in your backend security policy:

gcloud compute security-policies rules create 1000 
    --security-policy=my-policy 
    --expression="evaluatePreconfiguredWaf('cve-canary', 
    --action=deny-403

AWS WAF

New managed rules have been deployed to block exploitation attempts. Customers using AWS managed services are not affected.

Akamai

Adaptive Security Engine Rapid rule deployed on December 3: “3000976 — React Remote Code Execution Attack Detected (CVE-2025-55182)”. Full protection for App & API Protector clients.

To remember: WAF protections are temporary measures. They significantly reduce exposure but do not replace a complete patch at the application level.

Frequently Asked Questions

Is my application vulnerable if I don’t use Server Functions?

Potentially yes. According to the React team, even without explicit Server Functions, your application remains usable if it supports React Server Components. Simply having RSC in your stack is enough.

Are there any farms in nature?

As of December 4, 2025, no confirmed production exploits have been documented. However, several researchers have published working Proofs of Concept (PoCs) on GitHub. In practice, exploitation is imminent, according to all security experts.

Is the Next.js Pages Router affected?

No. The Pages Router does not use React Server Components and is therefore not affected by this vulnerability. Only the App Router is affected.

What is the actual severity of this vulnerability?

Maximum. CVSS score 10.0, exploitable without authentication, vulnerable default configurations, near 100% success rate in lab tests. According to the State of JavaScript 2024 survey, React is used by 82% of developers. To truly grasp the scale of the problem: Wiz estimates that 39% of cloud environments contain vulnerable instances.

Can I temporarily disable RSC?

There is no configuration option to disable the vulnerable code without completely breaking the App Router. The only viable option is to update immediately or temporarily revert to the Pages Router for Next.js 14.x.

Conclusion: a safety lesson for the entire ecosystem

React2Shell represents a major wake-up call for the JavaScript ecosystem. This vulnerability exposes a fundamental weakness in the management of trust for incoming data, even for frameworks as mature as React.

What truly makes the difference is the speed of the response. Meta, Vercel, and all the cloud providers coordinated patches and WAF protections in less than 96 hours between responsible disclosure and public deployment. A prime example of effective industry collaboration.

For you developers and tech managers: Patching immediately is non-negotiable.In practice, large-scale rollouts are a matter of days, not weeks. If you have Next.js 15 or 16 applications in production, your number one priority should be this update.

No bullshit: test your dependencies, deploy patches, check your WAFs. Application security is never guaranteed, even with the most popular frameworks on the market.