React2Shell (CVE-2025-55182): Critical RCE in React Server Components

In December 2025, the React ecosystem received a high-severity alert: a critical CVSS 10.0 vulnerability in React Server Components (RSC), commonly referenced as “React2Shell” (CVE-2025-55182). This is not a typical front-end XSS problem. It affects server-side RSC processing and, in exposed deployments, can lead to remote code execution (RCE).

Why this matters: modern stacks (especially Next.js App Router) widely rely on RSC by default. That means the server attack surface can be larger than many teams expect. If your app is public and uses RSC and/or Server Actions, treat this as a patch-now incident.

What is CVE-2025-55182 (React2Shell)?

CVE-2025-55182 is a critical security vulnerability in RSC server packages (the “Flight” protocol / server-side component rendering). In affected versions, insufficient payload validation may allow an attacker to craft requests that trigger unsafe server-side behavior — up to RCE under certain conditions.

Who is affected?

You are at higher risk if any of the following is true:

You run Next.js App Router in production (RSC commonly enabled by default)
You use Server Actions / server function endpoints (or similar server-side endpoints that interact with RSC)
Your deployment includes react-server-dom-* packages used by RSC
Your RSC endpoints are publicly reachable and not protected by strict filtering/rate-limiting

Important nuance: even if you don’t intentionally expose server function endpoints, you may still be vulnerable if your app supports React Server Components. That’s why this is treated as a broad ecosystem issue.

What can attackers do?

In the worst case, exploitation can result in remote code execution on the application server. Practically, that can mean:

Reading secrets and environment variables (API keys, tokens, DB credentials)
Deploying backdoors or persistence mechanisms (depending on server permissions)
Pivoting into internal services if network access is open
Impacting availability and business continuity

Related follow-up issues: CVE-2025-55183 and CVE-2025-55184 (and addendum CVE-2025-67779)

After the initial React2Shell disclosure, additional RSC issues were published: source code exposure (CVE-2025-55183) and denial of service (CVE-2025-55184). Some advisories later clarified that an initial DoS fix was incomplete and a complete fix was issued under CVE-2025-67779. The key takeaway is simple: do not stop at the first patch — upgrade to the latest recommended fixed versions.

Immediate remediation checklist (patch fast, then verify)

Treat this as an incident response task. The goal is not only upgrading dependencies, but also ensuring production truly runs the patched artifacts.

Inventory: confirm whether your apps use RSC/App Router/Server Actions
Patch: upgrade React RSC server packages and framework versions to patched releases
Rebuild and redeploy: do not rely on partial installs; ensure lockfiles and build outputs update
Verify: confirm patched versions are present in the deployed artifact (container/image/build output)
Monitor: check logs for unusual spikes on RSC endpoints and 5xx bursts
Rotate secrets if you suspect exposure during the vulnerable window

If you use Next.js: the fastest safe fix

Next.js published a dedicated security advisory and provides a fix tool that can analyze and bump versions deterministically. For many teams, upgrading Next.js to the recommended patched version and rebuilding is the cleanest approach.

Follow the Next.js advisory and upgrade to the recommended patched versions
Run the official fix tool (helps prevent mistakes across multiple apps)
Invalidate build caches if necessary, then redeploy
Confirm production is running patched packages (not only local dev)

Verification: how to be sure production is patched

A common failure mode is “we upgraded locally” but production still runs an old image or cached build. Verification should be mandatory.

Check deployed versions of react-server-dom-webpack / react-server-dom-parcel / react-server-dom-turbopack (as applicable)
Confirm Next.js/React versions in production match the advisory recommendations
Review reverse proxy/WAF logs for suspicious request patterns (unusual payload size, repeated errors)
Add short-term alerting for abnormal error spikes (useful for DoS attempts)

Hardening after patch (reduce blast radius)

Patching is step one. Hardening reduces the impact of future 0-days.

Run the app with least-privilege credentials (minimal DB permissions)
Restrict outbound (egress) from app containers where feasible
Rate-limit and filter high-risk endpoints at the edge (WAF/proxy)
Keep CI/CD tokens and secrets tightly scoped and rotated
Prefer short-lived credentials where possible

Bonus: Vite dev server risk (CVE-2025-30208) — don’t expose dev to the internet

Separate from React2Shell, Vite’s dev server had a critical arbitrary file read issue (CVE-2025-30208). This primarily becomes dangerous if you run dev server with network exposure (e.g., --host) in untrusted environments.

Never expose Vite dev server publicly
Upgrade Vite to patched versions if used internally
Restrict dev tools behind VPN/IP allowlists
Assume secrets may be at risk if dev server was exposed

References (official sources)

React advisory (CVE-2025-55182): https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
React follow-up (CVE-2025-55183/55184): https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Next.js advisory + fix tool: https://nextjs.org/blog/CVE-2025-66478
Fix tool repo: https://github.com/vercel-labs/fix-react2shell-next
Vercel bulletin: https://vercel.com/react2shell
Microsoft analysis: https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/
Vite dev server GHSA example: https://github.com/advisories/GHSA-x574-m823-4x7w
CVE-2025-30208 explainer: https://www.offsec.com/blog/cve-2025-30208/

Conclusion

React2Shell is a reminder that modern web performance features can introduce new server-side attack surfaces. The right response is disciplined execution: patch quickly, rebuild/redeploy, verify production, monitor signals, and harden your environment. If you run Next.js App Router with RSC/Server Actions, this should be priority #1.