Critical Security Vulnerability in React Server Components (React2Shell) and How to Fix It

Critical Security Vulnerability in React Server Components (React2Shell) and How to Fix It

React has become one of the most widely used JavaScript libraries for building modern web applications. With the introduction of React Server Components (RSC), developers gained the ability to move rendering logic to the server, improving performance and reducing client-side JavaScript. However, with great power comes great responsibility—especially when security is involved.

In December 2025, the React core team disclosed a critical security vulnerability affecting React Server Components. Tracked as CVE-2025-55182 and commonly referred to as “React2Shell,” this vulnerability allows unauthenticated attackers to execute arbitrary code on the server. The severity of this issue is extremely high, with a CVSS score of 10.0, making it one of the most serious vulnerabilities ever discovered in the React ecosystem.

What Are React Server Components?

React Server Components are a modern React feature that allows components to run entirely on the server. Instead of sending JavaScript to the browser, the server sends a serialized representation of the UI. This improves performance, reduces bundle size, and enables secure access to backend resources like databases and internal APIs. Frameworks such as Next.js heavily rely on React Server Components to enable server-side rendering, streaming, and server actions.

Overview of the Vulnerability (CVE-2025-55182)

The vulnerability lies in how React Server Components handle and deserialize incoming HTTP payloads sent to Server Function endpoints. Due to insufficient validation during deserialization, an attacker can craft a malicious request that injects executable code.

Key details:

• Vulnerability Name: React2Shell
• CVE ID: CVE-2025-55182
• Severity: Critical (CVSS 10.0)
• Attack Type: Remote Code Execution (RCE)
• Authentication Required: No

An attacker does not need valid credentials or access tokens. Simply sending a specially crafted request to a vulnerable RSC endpoint is enough to gain code execution on the server.

Why This Vulnerability Is Extremely Dangerous

Remote Code Execution vulnerabilities are considered the most severe type of security flaw because they allow attackers to:

• Execute arbitrary system commands
• Install malware or cryptominers
• Steal environment variables and secrets
• Access databases and user data
• Take complete control of the server

Security researchers have confirmed that this vulnerability is actively exploited in the wild. Cloud-hosted React and Next.js applications are especially at risk if they have not been patched.

Affected Packages and Versions

The vulnerability affects React Server Components-related packages, including:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Vulnerable versions include:

• 19.0.0
• 19.1.0
• 19.1.1
• 19.2.0

Applications built with frameworks such as Next.js that bundle these packages are also affected.

How to Fix the Vulnerability (Permanent Solution)

1. Update React Server Component Packages

The React team has released patched versions that fully fix the vulnerability. Immediately update all RSC-related packages:

npm install react-server-dom-webpack@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-turbopack@latest

Ensure you are using:

• React 19.0.1 or higher
• React 19.1.2 or higher
• React 19.2.1 or higher

2. Update Frameworks Like Next.js

If you are using Next.js or any framework built on top of React Server Components, upgrade to the latest stable release that includes the patched React packages.

Avoid pinning older versions of React or RSC packages in your dependency tree.

Temporary Mitigation Strategies

If you cannot update immediately, apply these short-term measures:

• Enable a Web Application Firewall (WAF) to block suspicious payloads
• Restrict access to internal RSC endpoints using network rules
• Monitor server logs for unusual request patterns
• Temporarily disable server actions if feasible

Note: These are temporary measures. Updating is the only complete and safe fix.

How to Check If Your Application Is Vulnerable

• Review your package.json for react-server-dom-* dependencies
• Check your framework version (Next.js, Remix, etc.)
• Scan your application with security tools
• Inspect production logs for suspicious POST requests to server endpoints

Best Practices to Prevent Similar Issues

• Always keep React and framework dependencies updated
• Avoid exposing unnecessary server endpoints
• Use environment variable access carefully
• Apply the principle of least privilege
• Regularly audit your application for security vulnerabilities

Conclusion

The React2Shell vulnerability is a reminder that even the most trusted frameworks can contain critical security flaws. React Server Components provide powerful server-side capabilities, but they must be handled with care.

If your application uses React Server Components, updating immediately is not optional—it is essential. By applying patches, monitoring your systems, and following security best practices, you can protect your application and users from serious threats.

Staying informed and proactive about security is now a core responsibility of every React developer.