A serious security vulnerability has been discovered in the popular React web development library and related frameworks like Next.js, allowing attackers to possibly take full control of affected servers. This flaw, labelled React2Shell and officially tracked as CVE-2025-55182, was given the maximum severity rating of 10.0.
The issue was discovered and responsibly reported by security researcher Lachlan Davidson (with assistance from Sylvie Mayer) to the Meta team on November 29, 2025. Patches were swiftly released by React and Vercel on December 3, 2025.
What is the Problem?
According to Davidson’s research, the problem lies in React Server Components (RSC), which use a communication method known as the Flight protocol. RSCs allow parts of a webpage to be put together on the server, speeding up applications. The vulnerability is caused by a failure to correctly check data sent to the server in a specially coded message, known as insecure deserialization.
This failure allows a hacker to send a single, custom-made HTTP request, with no need for any login credentials, to trick the server into running their own malicious code, achieving Remote Code Execution (RCE). This works reliably on the default configurations of vulnerable Next.js applications.
Next.js had initially issued its own identifier, CVE-2025-66478. However, the US National Vulnerability Database (NVD) correctly marked it as a duplicate of the main React issue. Davidson explained the separate number was issued because “Next.js does not include React as a traditional dependency… they bundle it ‘vendored.’” This made the second CVE helpful for alerts since standard dependency tools sometimes don’t recognise Next.js as vulnerable.
Exploitation Underway, Risk is High
The concerning aspect is that public exploit code is available, and major security companies like Wiz Research, Amazon Threat Intelligence, and Datadog have confirmed active attacks since December 5th, targeting internet-facing Next.js applications and Kubernetes containers.
Researchers agree the attacks are financially motivated. Wiz Research, for example, observed threat actors stealing sensitive cloud credentials (including attempts to exfiltrate AWS data) and deploying cryptocurrency mining malware. Disturbingly, Wiz data indicates that 39% of all cloud environments contain instances running vulnerable React or Next.js versions.
Immediate Patching is the Only Fix
The vulnerability affects React versions in the 19.x range, and several Next.js versions using the App Router. The only definitive way to fix this is to immediately update to the hardened (patched) releases. For React, this means moving to versions 19.0.1, 19.1.2, or 19.2.1. For Next.js, versions like 15.0.5 or 16.0.7 should be used.
It is worth noting that any framework that bundles these components (like RedwoodSDK or Waku) is also affected. Major providers like AWS, Cloudflare, and Vercel have deployed WAF rules, but these protections are not a substitute for patching.
Expert Commentary
In comments shared exclusively with Hackread.com, security experts emphasised that this flaw exposes a fundamental risk in modern web architecture.
Jason Soroko, Senior Fellow at Sectigo, highlighted the growing risk in modern web design, “The React Flight flaw is a reminder that the line between front end and back end has effectively disappeared, even if organizational charts have not caught up… Developers adopted React Server Components to make interfaces feel faster and cut server costs, but in practice, they gave a simple user interface library direct power to run code on the server, right at the internet’s edge.”
Soroko concluded that the ease of exploiting default Next.js configurations means this is “not a niche misconfiguration story but a framework-level design problem.”
Deividas Lavrik, Senior Software Engineer and Vulnerability Analyst at Black Duck, confirmed the widespread scope, noting that popular frameworks such as Next.js, React Router, Expo, Waku, and Redwood SDK are affected, “powering millions of production applications worldwide.”
Lavrik stressed the urgency of remediation, stating, “Patches are available, and given the unauthenticated nature of exploitation along with its critical severity, patching should be treated as an emergency priority.”
