Skip to content
Christian Adotey
Christian Adotey
Back to Writing
Security
React
Next.js
React Server Components
Server Actions
CVE

React2Shell and the Follow‑Ups: CVE-2025-55182, CVE-2025-55183, CVE-2025-55184

December 2025 brought a critical RCE in React Server Components and two follow-up issues (DoS + source exposure). Here’s what happened, who’s affected (including Next.js App Router), and what to upgrade.

4.365 read

December 2025 shipped one of those “drop everything and patch” moments for the React + Next.js ecosystem.

Meta disclosed a critical remote code execution (RCE) issue in React Server Components (RSC) tracked as CVE-2025-55182 (commonly nicknamed React2Shell) — and then, as often happens after a major fix lands, researchers found follow‑up vulnerabilities while probing adjacent code paths: CVE-2025-55183 (source code exposure) and CVE-2025-55184 (denial of service).

This post is grounded in the official advisories from React, Next.js, NVD/CVE.org, and incident response notes from AWS.

TL;DR: If you run Next.js App Router (RSC / Server Actions) and your stack pulls in the vulnerable React Server Components runtime, upgrade immediately. If you already upgraded once early in the week, double-check — follow-up patches were required.

Why this hits Next.js apps especially hard

In modern Next.js (App Router), your app isn’t just “React on the client.” It uses React Server Components and often Server Actions (aka “Server Functions”). Those are server-side endpoints that accept requests, deserialize payloads, and execute on the server.

That means vulnerabilities in the RSC protocol and Server Function request handling can translate into real risk for production applications—especially those exposing App Router routes to the public internet.

CVE-2025-55182 (React2Shell): pre-auth RCE in React Server Components

What it is: A pre-authentication remote code execution vulnerability in React Server Components’ handling of Server Function request payloads.

Official description (CVE.org / NVD): the vulnerable code “unsafely deserializes payloads from HTTP requests to Server Function endpoints.”

Severity: CVSS 10.0 (Critical).
Upstream: React Server Components runtime packages such as:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Who’s affected (high level):

  • React RSC implementations in specific React 19 versions: 19.0, 19.1.0, 19.1.1, and 19.2.0
  • Frameworks/bundlers that depend on the affected packages, including Next.js, as stated by the React team

React’s advisory explicitly notes you can be vulnerable even if you don’t think you “use Server Functions” directly — supporting RSC can be enough.

Fix guidance

React initially published incomplete fixes in 19.0.1, 19.1.2, and 19.2.1 for the critical RCE. (Source: React blog post from 2025‑12‑03.) These early patches addressed the RCE but did not fully resolve the follow-up vulnerabilities.

Important: For complete protection, you must upgrade to the later patched versions (see below).

CVE-2025-55184: DoS via crafted RSC/Server Function payloads

What it is: A pre-auth denial of service issue where a malicious request can trigger an infinite loop (server hang / CPU burn) during deserialization.

Severity: CVSS 7.5 (High).

React’s follow-up post (2025‑12‑11) explains that the original DoS fix was incomplete, and that versions that looked “patched” in the first wave still had gaps. This incomplete fix led to CVE-2025-67779, which addresses the same DoS impact with the final patches.

Fix guidance (important)

React recommends upgrading to 19.0.3, 19.1.4, or 19.2.3 (depending on your release line). (Source: React blog post from 2025‑12‑11.)

CVE-2025-55183: source code exposure in certain Server Function configurations

What it is: In certain configurations, a malicious request can cause a Server Function endpoint to return compiled source code of Server Functions.

Severity: CVSS 5.3 (Medium).

React notes the most serious risk here is if you have secrets hardcoded in source code (which can be inlined into compiled output). Runtime secrets from environment variables (e.g. process.env.SECRET) are not the same category.

If you must handle secrets: prefer runtime env vars, secret stores, and keep secrets out of code paths that can be inlined.

What to upgrade (practical matrix)

React

From the React follow-up advisory:

  • Upgrade to 19.0.3 (if you’re on the 19.0.x line)
  • Upgrade to 19.1.4 (if you’re on the 19.1.x line)
  • Upgrade to 19.2.3 (if you’re on the 19.2.x line)

If you are on an affected 19.x release line, the safest move is to upgrade to the latest patched version for that line (for example, 19.2.3 if you are on 19.2.x).

Next.js

Even though these vulnerabilities originate upstream in React’s RSC runtime, Next.js App Router applications are impacted and Next.js shipped patched releases.

Per the Next.js security update (2025‑12‑11), upgrade to the following patched versions based on your release line:

  • next@14.2.35 (for Next.js 14.x series)
  • next@15.5.7 (for Next.js 15.x series)
  • next@16.0.10 (for Next.js 16.x series)

If you're on a different release line, follow the official Next.js advisory for the exact patched version to install.

Being on a patched next version does not automatically mean you're safe if your react/react-dom version is still on an affected release line.

Detection & incident response notes

AWS' write-up on active exploitation highlights a few practical signals defenders can look for:

  • Suspicious POST requests with headers like next-action or rsc-action-id
  • Payload patterns like $@ and "status":"resolved_model"
  • Unexpected process execution (whoami, id) and file writes in /tmp

These are not perfect detectors (attackers adapt), but they’re useful breadcrumbs while you patch and review logs.

References (primary sources)

  • React (Dec 3, 2025): https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
  • React (Dec 11, 2025): https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
  • CVE.org records:
    • https://www.cve.org/CVERecord?id=CVE-2025-55182
    • https://www.cve.org/CVERecord?id=CVE-2025-55183
    • https://www.cve.org/CVERecord?id=CVE-2025-55184
  • NVD entries:
    • https://nvd.nist.gov/vuln/detail/CVE-2025-55182
    • https://nvd.nist.gov/vuln/detail/CVE-2025-55183
    • https://nvd.nist.gov/vuln/detail/CVE-2025-55184
  • Next.js security update (Dec 11, 2025): https://nextjs.org/blog/security-update-2025-12-11
  • oss-security mirror post: http://www.openwall.com/lists/oss-security/2025/12/03/4
  • AWS Security Blog (active exploitation notes): https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

Topics

Security
React
Next.js
React Server Components
Server Actions
CVE
NextWhat's New in Next.js 16: A Comprehensive Overview