Back to Blog
Security8 min

React2Shell: Critical Security Vulnerability in React 19 and Next.js - What You Need to Do Now

Semih Simsek

On December 3, 2025, one of the most severe vulnerabilities in the history of the React ecosystem was disclosed. CVE-2025-55182, better known as "React2Shell", enables remote code execution (RCE) on servers using React Server Components. With a CVSS score of 10.0 - the highest possible - and active exploitation by state-sponsored hackers, immediate action is required.

  • CVSS Score: 10.0 (Critical) - Highest severity rating
  • Actively exploited by Chinese, North Korean, and Iranian hackers
  • No workaround available - upgrade is the only solution
  • Rotate all secrets after patching

What is React2Shell?

React2Shell is a critical vulnerability in the React Server Components (RSC) "Flight" protocol. The issue lies in insecure deserialization of data exchanged between client and server. An attacker can execute arbitrary code on your server without authentication.

Technical Details

  • Vulnerability in RSC Flight protocol deserialization
  • No authentication required for exploitation
  • Complete server takeover possible
  • Attackers can steal environment variables, credentials, and source code

Which Versions Are Affected?

The vulnerability affects a wide range of React and Next.js versions:

React Versions

  • React 19.0.0 - 19.0.2
  • React 19.1.0 - 19.1.3
  • React 19.2.0 - 19.2.2

Next.js Versions

  • Next.js 14.3.0-canary.77 and higher
  • All Next.js 15.x versions (before patch)
  • All Next.js 16.x versions (before 16.0.7)

Active Exploitation in the Wild

Google has confirmed that at least five Chinese state-sponsored hacking groups are actively exploiting this vulnerability. North Korean and Iranian actors are also involved in the attacks.

Observed Attack Patterns

Attackers establish shells to harvest credentials from environment variables, filesystems, and cloud instance metadata. AWS credentials are Base64 encoded for exfiltration.

How to Check If You Are Vulnerable

  1. 1

    Check your React version

    Open package.json and check the react version. Versions 19.0.0-19.0.2, 19.1.0-19.1.3, and 19.2.0-19.2.2 are vulnerable.

  2. 2

    Check your Next.js version

    Check the next version in package.json. All versions from 14.3.0-canary.77 up to the patched versions are affected.

  3. 3

    Do you use Server Components?

    If you use the App Router with Server Components (default in Next.js 13+), you are likely vulnerable.

Immediate Actions

Patched Versions

  • React: 19.0.3, 19.1.4, or 19.2.3
  • Next.js 15: upgrade to 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, or 15.5.7
  • Next.js 16: upgrade to 16.0.10 (minimum 16.0.7)

After the Upgrade: Rotate All Secrets

Because attackers may have already had access to your system, it is essential to rotate all secrets:

  • Database passwords and connection strings
  • API keys (Stripe, SendGrid, etc.)
  • AWS/Azure/GCP credentials
  • JWT secrets and session keys
  • OAuth client secrets
  • Environment variables with sensitive data

Additional CVEs

After the initial patch, two additional vulnerabilities were discovered:

CVE-2025-55184

  • Denial of Service
  • CVSS: 7.5 (High)
  • Can crash the application

CVE-2025-55183

  • Source Code Exposure
  • CVSS: 5.3 (Medium)
  • Source code can be leaked

Lessons for the Future

This vulnerability underscores the importance of proactive security management:

  • Implement automatic security updates for dependencies
  • Monitor security advisories from React and Next.js
  • Use tools like Snyk or Dependabot for vulnerability scanning
  • Keep an incident response plan ready
  • Consider a Web Application Firewall (WAF) as an additional security layer

Security is not a one-time action, but a continuous process. The React2Shell vulnerability shows how quickly critical issues can emerge in popular frameworks.

Semih Simsek

Conclusion

React2Shell is a wake-up call for the JavaScript community. With CVSS 10.0 and active exploitation by state-sponsored hackers, this is not a vulnerability to ignore. Upgrade your applications today, rotate all secrets, and implement a structural security policy to be prepared for future threats.

Need Help?

SEMSIT helps businesses secure their React and Next.js applications. Contact us for a security audit or help upgrading your applications.

Share this article: