Critical remote code execution vulnerabilities reported in React and Next.js
Take action: If you're running React 19.x or Next.js 15.x/16.x (or frameworks using React Server Components like Waku or Redwood), attackers can take complete control of your servers with no authentication needed. Plan a VERY QUICK upgrade to the latest patched versions - this is the only fix available, so prioritize this update now.
Learn More
React and Next.js have patched critical security vulnerabilities in their frameworks.
Vulnerabilities summary:
- CVE-2025-55182 (CVSS score 10.0) affecting React Server Components
- CVE-2025-66478 (CVSS score 10.0) affecting Next.js
The flaws are dubbed React2Shell.
Both are are unauthenticated remote code execution vulnerabilities in the React Server Components "Flight" protocol. The vulnerabilities allow attackers to execute arbitrary code on servers through specially crafted HTTP requests. Default configurations are vulnerable, so a standard Next.js application created with create-next-app and built for production can be exploited. Testing has demonstrated near 100% reliability in exploitation attempts.
The vulnerability is caused by insecure deserialization in the RSC payload handling logic. When a server receives a malformed payload, it fails to validate the structure correctly, allowing attacker-controlled data to influence server-side execution logic and resulting in the execution of privileged JavaScript code.
Affected versions include:
- React: versions 19.0.0, 19.1.0, and 19.2.0
- Next.js: versions 14.3.0-canary (canary.77 and later), 15.x, and 16.x when using the App Router
The vulnerability extends beyond React and Next.js to any framework or library bundling the react-server implementation, including Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku.
Next.js 13.x, Next.js 14.x stable releases, applications using the Pages Router, and the Edge Runtime are not affected by this vulnerability.
Wiz Research data reveals that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to these CVEs, and Next.js present in 69% of environments and 61% of those having public applications running the framework, so 44% of all cloud environments have publicly exposed Next.js instances.
Patched versions are available and organizations should upgrade immediately.
- React has released hardened versions 19.0.1, 19.1.2, and 19.2.1 that address the vulnerability.
- Next.js has issued patches in versions 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7.
Organizations using Next.js 14.3.0-canary.77 or later canary releases should downgrade to the latest stable 14.x release. There is no configuration option to disable the vulnerable code path, making immediate patching the only definitive mitigation strategy.
Security teams should prioritize upgrading React and all dependencies to the hardened versions listed above. Organizations using other RSC-enabled frameworks such as Redwood, Waku, Vite RSC plugin, Parcel RSC plugin, or React Router should check their official channels for updates regarding the bundled react-server version and update immediately.
Update - as of 5th of December, these flaws are actively exploited
As of 7th of December, a free tool was published to help with detecting and patching the vulnerability.
