1. Summary
2. Vulnerability details
3. Recommendations
4. References
5. Support

Updated: December 12, 2025

The React Server Components vulnerability has been branded as React2Shell and has continued to draw great attention as many malicious actors, including multiple nation-state groups, are aggressively exploiting it. The number of proof-of-concept (POC) exploits is also growing, with VulnCheck saying it’s nearing 100, which is unheard of. Two additional vulnerabilities with React have been identified, although they are not as severe a threat as the initial one is.

The short answer to this is that if you are running an unpatched version of React or any of the related frameworks, they MUST be patched now, or the server should be disconnected or shut down until they can be patched.

A critical remote code execution vulnerability (CVE-2025-55182) has been found in React Server Components and in widely used frameworks such as Next.js. The flaw, rated CVSS 10.0, allows attackers to exploit unsafe deserialization via crafted HTTP requests, making exploitation easy and imminent. With an estimated 39% of cloud environments exposed, experts urge immediate upgrades to patched versions and warn that relying solely on WAF mitigations is insufficient.

“No proof of exploitation has been recorded yet, but multiple Proofs of Concept (PoC) have been released. Due to the CVSS score of 10.0 rating and network accessibility, this vulnerability must be treated as easily exploitable, and mitigations should be applied as soon as possible.”

• CVE/CVSS3: CVE-2025-55182, CVE-2025-55183 and CVE-2025-55184
• CVSS Rating: 10.0
• Details: CVE-2025-66478 is a critical-severity flaw that stems from unsafe deserialization in the React Server Components “Flight” protocol, enabling attackers to send malicious payloads that influence server-side execution paths. Exploitation can be achieved via a crafted HTTP request, making standard deployments immediately at risk.
• Impacted versions: The bug affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack
  It also affects the default configuration of several React frameworks and bundlers, including:
  • react-router
  • Waku
  • @parcel/rsc
  • @vitejs/plugin-rsc
  • RedwoodSDK (rwskd)
  • Next.js 15.x and 16.x using the App Router
• Affected platforms: Assorted platforms

A fix was introduced in React versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of these packages, please upgrade to any of the fixed versions immediately.

Next.js has released fixed versions Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

You will need to monitor the pages of other frameworks or bundlers for updates.

1. React security advisory (AV25-804) | Government of Canada
2. Critical security vulnerability in React Server Components | react.dev
3. Developers urged to immediately upgrade React, Next.js | InfoWorld
4. CVE-2025-55182 | NIST National Vulnerability Database

As always, please let us know if you have any questions or concerns or see unusual activity on your systems that you believe might be associated with this or any other vulnerability. Please send these communications to security.response@utoronto.ca.