React2Shell: The Critical Vulnerability That Affected Millions of React and Next.js Applications

Hello HaWkers, the web development world was shaken in December 2025 by one of the most serious vulnerabilities ever discovered in the React ecosystem. CVE-2025-55182, nicknamed "React2Shell," received the maximum score of 10.0 on CVSS and allowed remote code execution without authentication.

If you use React Server Components or Next.js, this article is required reading. Let's understand what happened, how the flaw worked, and most importantly, how to protect your applications.

What Happened: Timeline of Events

The discovery and disclosure of React2Shell followed an intense timeline:

November 29, 2025: Lachlan Davidson, a New Zealand security researcher, discovers the vulnerability and reports it to Meta.

December 3, 2025: Meta publicly discloses CVE-2025-55182 along with patches for React and Next.js.

December 4, 2025: Multiple proof-of-concept exploits appear publicly. Mass exploitation begins.

December 4-5, 2025: Amazon and other companies detect Chinese threat groups actively exploiting the flaw.

December 11, 2025: Two additional vulnerabilities are discovered (CVE-2025-55183, CVE-2025-55184).

Understanding the React2Shell Vulnerability

React2Shell specifically affects React Server Components (RSC), a relatively new feature that allows rendering React components on the server. The flaw was in how RSC deserialized data received from the client.

How the Attack Worked

The problem was in the communication protocol between client and server in applications using RSC:

// CONCEPTUAL example of how the vulnerable deserialization worked
// DO NOT EXECUTE THIS CODE - for educational purposes only

// The server received serialized payloads from the client
async function processServerAction(serializedPayload) {
  // Deserialization did not properly validate content
  const payload = deserialize(serializedPayload);

  // Malicious objects could be injected
  // that executed code during deserialization
  return executeAction(payload);
}

The attacker could send a specially crafted payload that, during the deserialization process, executed arbitrary code on the server.

Simplified Attack Payload

Although full technical details should not be shared for security reasons, the concept was:

POST /api/server-action HTTP/1.1
Content-Type: application/x-react-server-reference

[Malicious serialized payload that exploited
 the deserialization chain to execute
 commands on the server]

The result? Complete control of the vulnerable server, with no authentication required.

Impact and Scale of the Problem

Frightening Numbers

Palo Alto Networks Unit 42 identified the magnitude of the problem:

• 968,000+ servers potentially vulnerable running React/Next.js
• CVSS 10.0 - maximum severity score
• Active exploitation by state groups in less than 24 hours
• No authentication required to exploit

Who Was Affected

Affected frameworks and libraries:

• React (versions with RSC before the patch)
• Next.js (versions 13+ with App Router)
• Vite RSC plugin
• Parcel RSC plugin
• React Router RSC preview
• RedwoodJS
• Waku

Who was NOT affected:

• Next.js Pages Router (no RSC)
• Traditional client-side React
• Applications using only Client Components

How to Check If Your Application Is Vulnerable

Verification Checklist

Answer the following questions:

1. Do you use React Server Components?

• Look for 'use server' at the top of files
• Check if you use Next.js 13+ with App Router

2. What version are you using?

# Check Next.js version
npm list next

# Check React version
npm list react

3. Vulnerable vs patched versions:

Framework	Vulnerable Versions	Patched Versions
Next.js 16	< 16.0.7	>= 16.0.7
Next.js 15.5	< 15.5.7	>= 15.5.7
Next.js 15.4	< 15.4.8	>= 15.4.8
Next.js 15.3	< 15.3.6	>= 15.3.6
Next.js 15.2	< 15.2.6	>= 15.2.6
Next.js 15.1	< 15.1.9	>= 15.1.9
Next.js 15.0	< 15.0.5	>= 15.0.5

Fixing Your Application

Step 1: Update Immediately

# For Next.js
npm update next

# Or specify the patched version
npm install next@16.0.7

# For React directly
npm update react react-dom

Step 2: Verify the Installation

# Confirm the installed version
npm list next react react-dom

# Check for known vulnerabilities
npm audit

Step 3: Add Additional Protections

Even after updating, consider implementing extra security layers:

// middleware.ts - Add extra validation for Server Actions
import { NextResponse } from 'next/server';
import type { NextRequest } from 'next/server';

export function middleware(request: NextRequest) {
  // Validate request origin
  const origin = request.headers.get('origin');
  const allowedOrigins = [process.env.NEXT_PUBLIC_SITE_URL];

  if (request.method === 'POST') {
    if (!origin || !allowedOrigins.includes(origin)) {
      return new NextResponse('Forbidden', { status: 403 });
    }
  }

  return NextResponse.next();
}

export const config = {
  matcher: ['/api/:path*'],
};

Additional Vulnerabilities Discovered

After the React2Shell disclosure, researchers found two more flaws:

CVE-2025-55184 - Denial of Service (High Severity)

A flaw that allowed crashing servers by sending malformed payloads:

Impact: Service unavailability
Vector: Malformed requests to RSC endpoints
Mitigation: Same update that fixes React2Shell

CVE-2025-55183 - Source Code Exposure (Medium Severity)

Allowed attackers to read server source code:

Impact: Leakage of business logic and secrets
Vector: Manipulation of RSC requests
Mitigation: Update to patched versions

Lessons Learned and Best Practices

For Developers

1. Keep dependencies updated:

# Configure automatic alerts
npm audit --audit-level=high

# Use tools like Dependabot or Renovate

2. Monitor security advisories:

• Subscribe to React and Next.js security mailing lists
• Follow @nextjs and @reactjs on Twitter

3. Implement defense in depth:

• WAF (Web Application Firewall)
• Rate limiting
• Input validation at all layers

For Security Teams

1. Application inventory:

• Know which apps use RSC
• Maintain list of versions in use

2. Incident response:

• Have playbooks for critical vulnerabilities
• Practice emergency updates

The Future of Security in React Server Components

This vulnerability raised important questions about the security of new features like RSC:

💡 Reflection: Features that "magically" serialize and deserialize data between client and server will always be attractive targets for attackers.

Expectations for 2026

From the React/Next.js side:

• More frequent security audits
• Deserialization sandboxing
• Better security documentation

From the developers side:

• Greater awareness of RSC risks
• Adoption of static analysis tools
• Security testing in CI/CD

Conclusion

React2Shell was a powerful reminder that even widely used technologies can contain critical flaws. The community's rapid response - with patches available in days and updates widely communicated - shows the ecosystem's maturity.

If you haven't updated your applications yet, do it now. And if you're interested in web development security, I recommend checking out another article: Docker Releases Hardened Images Catalog for Free where you'll discover how to improve the security of your containers.

Let's go! 🦅