“React2Shell”: The Critical Vulnerability Rocking the Web — And Why It Matters
A newly disclosed security flaw in React and Next.js — two of the most widely used tools in modern web development — has sent shockwaves through the developer and cloud-security world. Dubbed “React2Shell,” the flaw is formally tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js). It carries a maximum severity rating of 10.0 (CVSS), and, under default configurations, can allow unauthenticated remote code execution (RCE) on servers — essentially giving attackers full control of vulnerable backend systems.
What Is React2Shell — And How Does It Work
At the heart of the problem lies the architecture known as React Server Components (RSC) and its internal communication protocol named “Flight.” RSC allows server-side rendering and server-side logic in React applications, enabling better performance and flexibility. In a typical setup, RSC payloads — data describing what to render or what function to call — are sent from client to server, deserialized, and executed server-side.
React2Shell exploits a fundamental flaw in that deserialization process. Malicious actors can craft specially engineered HTTP requests that contain malformed or adversarially structured RSC payloads. Because the “Flight” protocol fails to properly validate the structure of these payloads, the attacker-controlled data may be interpreted and executed as legitimate server-side code. In effect: the attacker gets to run arbitrary JavaScript on your server — no credentials, no user session, just a phone call over HTTP.
Crucially — this isn’t a corner-case vulnerability. Even default installations created with the standard tooling (such as create-next-app) are vulnerable. That means many newly generated websites and applications — even if they don’t explicitly use “Server Functions” — might be exposed by virtue of supporting RSC.
Scope and Impact: Why So Many Projects Are at Risk
The scale of this vulnerability is staggering. The core packages affected — react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack — are part of React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
Downstream, any framework or bundler that incorporates these packages may be compromised — including Next.js (versions 15.x and 16.x, as well as certain 14.x canary builds), as well as other rising frameworks and plugins such as RSC-enabled versions of Vite, Parcel, React Router, RedwoodSDK, Waku, and more.
According to cloud-security firm Wiz, roughly 39 % of cloud environments under their visibility contain vulnerable instances of React or Next.js — a striking share of the internet’s backend infrastructure.
Based on usage statistics and ecosystem penetration, this vulnerability could affect millions of applications globally — from small personal websites to large-scale enterprise SaaS platforms.
Why React2Shell Is Especially Dangerous
Several factors converge to make React2Shell particularly alarming:
- Unauthenticated & Remote: Exploitation requires no login, no special permissions — just network access.
- Default configuration is vulnerable: Many developers using standard toolchains will be exposed without realizing it.
- Wide ecosystem reach: Because React and Next.js underpin hundreds of thousands — likely millions — of sites and services, the attack surface is enormous.
- Ease of exploitation: A single crafted HTTP request — nothing more — can trigger full RCE. Security firms warn exploit success rates approach “near-100% reliability.”
- Potential for severe consequences: Successful compromise could allow full control over backend servers — data theft, database dumps, server-side manipulation, or even more — across a wide array of applications and services.
The fact that such a fundamental vulnerability was lurking in one of the most widely used web-development ecosystems — and in code paths that many assumed were “safe by default” — has shaken confidence across the JavaScript community.
What’s Already Being Done (And What You Should Do Right Now)
The disclosure process has been swift. The root vulnerability was responsibly reported by independent security researcher Lachlan Davidson on November 29, 2025. The teams behind React and Next.js moved quickly: by December 3 they had publicly disclosed the flaw and released patched versions.
As of now:
- React packages are patched in versions 19.0.1, 19.1.2, and 19.2.1.
- Next.js patched releases include 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7.
Major infrastructure and cloud-hosting providers have already begun mitigation measures: for example, Google Cloud published guidance advising customers to update immediately or apply temporary Web Application Firewall (WAF) rules to block exploit attempts.
But patches and WAF rules are just the start. Security analysts and defenders warn that:
- All affected projects — even newly created ones — must audit dependencies (package.json, package-lock.json) to check for vulnerable versions of React or any RSC-enabled library.
- Applications built on frameworks like Next.js, or using bundlers/plugins that support RSC (Vite-RSC, Parcel-RSC, etc.), should upgrade immediately — even if they believe they aren’t using “server functions.”
- Exposure from public servers is especially risky — any internet-facing React/Next.js server could be probed and exploited.
Security researchers have warned that actual “in-the-wild” exploitation is likely imminent — if not already underway.
What This Means for the Web Ecosystem — And What to Watch
React2Shell is more than a simple bug — it is a systemic failure in a core deserialization mechanism, and a serious wake-up call for the entire JavaScript ecosystem.
- For open-source maintainers and library authors: This is a strong reminder that default configurations are not always safe. Any code — even internal protocol code like RSC “Flight” — can become a dangerous vector if input handling and validation are lax.
- For web developers and DevOps teams: Dependency hygiene — long an afterthought — must now become a priority. Regular audits, component version checks, and aggressive patching cycles should be considered baseline security hygiene.
- For cloud providers and hosting platforms: Default firewall or WAF protections may help in the short term — but long-term security requires dependency management and systematic patching.
- For users and end-customers of web services: Follow-up patches may cause disruptions or version-rollouts; but the risks of inaction — data breaches, server takeover, or persistent backdoors — are much greater.
In short: React2Shell is a stark reminder that popularity does not equal safety. Even tools used by millions — and trusted by top companies worldwide — can conceal critical architectural flaws. The speed with which this vulnerability was discovered, disclosed, and patched speaks to the value of responsible security research — but also to the fragility of modern web-development ecosystems.
Conclusion: If You Use React or Next.js — Don’t Wait
If your project uses React 19.x, Next.js (with App Router), or any framework/plugin that supports React Server Components — assume you are vulnerable unless proven otherwise. The fix is out now. Upgrade immediately to the patched versions. Audit your dependencies. Apply WAF or other mitigations if your app is publicly exposed. And for the long haul — lock in secure development practices, dependency hygiene, and proactive patch management.
React2Shell is not just another CVE; it’s a seminal event for web security — and a warning echoing across the JavaScript ecosystem.
