Critical React, Next.js Flaw Allows Hackers to Execute Server Code
A critical vulnerability, identified as “React2Shell,” has been found in React Server Components (RSC). This flaw allows remote code execution (RCE) in React and Next.js applications without authentication. The issue originates from insecure deserialization and has received a maximum severity score of 10/10. It has been registered under CVE-2025-55182 for React and CVE-2025-66478 for Next.js.
Discovery and Impact
Security researcher Lachlan Davidson discovered this serious security issue on November 29, 2023. Davidson reported that attackers can execute remote code by sending crafted HTTP requests to React Server Function endpoints. Notably, even applications that do not implement React Server Function endpoints may still be susceptible if they support React Server Components (RSC).
Vulnerable Packages
The following packages, in their default configuration, are affected:
- react-server-dom-parcel
- react-server-dom-turbopack
- react-server-dom-webpack
React is an open-source JavaScript library maintained by Meta for building user interfaces. In contrast, Next.js, developed by Vercel, adds essential features like server-side rendering and API endpoints on top of React.
Prevalence of the Vulnerability
According to researches conducted by Wiz, approximately 39% of cloud environments analyzed contain instances of vulnerable React or Next.js applications. This includes versions susceptible to CVE-2025-55182, CVE-2025-66478, or a combination of both. The flaw primarily resides within the ‘react-server’ package utilized by React Server Components, with Next.js inheriting the vulnerability through its implementation of the RSC “Flight” protocol.
Exploitation Risks
Endor Labs, a software supply-chain security firm, explains that React2Shell involves a validation failure when the server processes malformed data from an attacker. This failure enables the execution of privileged JavaScript code in the server environment.
While proof-of-concept (PoC) exploits exist, Davidson warns that many are non-functional. For instance, fake PoCs may employ functions such as vm#runInThisContext and child_process#exec. However, genuine exploitation does not require these functions, particularly as Next.js manages server functions automatically.
Recommended Solutions
To mitigate risks, developers are urged to update their frameworks promptly. The following versions include critical fixes:
- React versions: 19.0.1, 19.1.2, 19.2.1
- Next.js versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
Organizations should conduct audits to determine if they are utilizing a vulnerable version and take necessary actions to mitigate risk.
Popularity of React and Next.js
The widespread use of these frameworks is evident, with React amassing approximately 55.8 million weekly downloads, while Next.js has around 16.7 million downloads on the Node Package Manager (NPM). Developers are encouraged to stay informed about vulnerabilities to maintain the security and integrity of their applications.
