React2Shell (CVE-2025-55182): What It Is and What You Must Do Now

React2Shell (CVE-2025-55182): What It Is and What You Must Do Now

On 3 December 2025, a critical remote code execution vulnerability in React Server Components, now referred to as React2Shell (CVE-2025-55182), was publicly disclosed and quickly began to see active exploitation.

For teams using modern React stacks, particularly those built on Next.js and React Server Components (RSC), this is not a theoretical issue. It is an immediate, high-impact risk that requires action.

Why This Matters

React Server Components introduce a powerful shift in how React applications are built, allowing parts of the component tree to execute on the server.

React2Shell exploits a flaw in this model.

The vulnerability stems from unsafe deserialization within the React Server Components “Flight” protocol, the internal mechanism used to send component data between the server and client.

By sending a specially crafted request, an attacker can trigger unauthenticated remote code execution (RCE) on the server.

Key facts:

• No authentication required

• CVSS score: 10.0 (Critical)

• Exploits and scanners appeared publicly shortly after disclosure

• Successful exploitation allows arbitrary code execution as the application process

In short, this is a full server compromise vector.

What Is Affected

The vulnerability affects React Server Components packages in versions:

• 19.0.0 to 19.2.0

Including:

• react-server-dom-webpack

• react-server-dom-parcel

• react-server-dom-turbopack

Frameworks such as Next.js that bundle these packages are affected unless patched.

If your application uses:

• React Server Components

• Server Actions or Server Functions

• App Router based rendering

You should assume you are in scope until proven otherwise.

What You Should Do Immediately

1. Audit Your Dependencies

Identify whether your application directly or indirectly uses React Server Components.

Check:

• Framework versions

• Lockfiles

• Transitive dependencies in CI/CD pipelines

2. Upgrade to Patched Versions

React has released patched versions that address the unsafe deserialization issue:

• 19.0.1

• 19.1.2

• 19.2.1 and later

For Next.js users, ensure you upgrade to a version that explicitly includes the patched RSC dependencies.

Do not assume a framework upgrade automatically resolves this. Verify what is actually deployed.

3. Validate Production Deployments

We regularly see teams upgrade locally but continue running vulnerable versions in production due to:

• Cached build artefacts

• Stale containers

• Partial CI rollouts

Confirm the deployed artefact, not just the repository state.

4. Harden and Monitor

Even after patching:

• Increase logging around RSC endpoints

• Monitor for anomalous request patterns

• Consider WAF rules where appropriate

Critical vulnerabilities are often re-targeted weeks after initial disclosure.

The Bigger Lesson

React2Shell is a reminder that modern abstractions collapse traditional security boundaries.

When client and server responsibilities blur, the cost of unsafe assumptions rises sharply.

At QZee Dev, we treat security as an architectural concern, not a post-launch checklist item. New capabilities must be adopted deliberately, with a clear understanding of the risks they introduce alongside the benefits.

Innovation without discipline doesn’t move fast.
It moves recklessly.

If you’re unsure whether your systems are affected, or want a second set of eyes across your React or Next.js estate, now is the time to audit, not after an incident forces the conversation.