React2Shell Vulnerabilities — What to do?

Murtuzaali Surti
Murtuzaali Surti

• 3 min read

nextjs react javascript web guide news

Updated

Table of Contents

React2Shell (CVE-2025-55182) is a highly critical vulnerability reported by Lachlan Davidson on November 29th, 2025. React2Shell has a CVSS score of 10.0 (most critical on the scale of 0-10), and is a pre-authentication remote code execution (RCE) vulnerability in which the vulnerable RSC (React Server Components) code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

In simple words, attackers can craft a special malicious HTTP request to a server function and can execute malicious code directly on the server resources.

CAUTION

Even if you are not actively using React Server Components, but are bundling third-party packages which support React Server Components in your application, your application is still vulnerable to React2Shell vulnerabilities.

And, there are a bunch of other vulnerabilities which came into light after the initial discovery of the main React2Shell (CVE-2025-55182) vulnerability. Here's a list of all currently discovered React2Shell linked vulnerabilities.

Currently Known React2Shell Vulnerabilities

  1. CVE-2025-55182 - The first RCE vulnerability discovered, dubbed as React2Shell.

    • CVSS Score: 10.0 (Critical)
    • Published on: 3rd December, 2025
    • Description - A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

  2. CVE-2025-55183 - Unsafely returns the source code of the Server Function.

    • CVSS Score: 5.3 (Medium)
    • Published on: 11th December, 2025
    • Description - An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

  3. CVE-2025-55184 - Causes infinite loops while deserializing unsafe payloads and hangs the server process.

    • CVSS Score: 7.5 (High)
    • Published on: 11th December, 2025
    • Description: A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

  4. CVE-2025-67779 - Emerged as a failure to fix the previous vulnerability (CVE-2025-55184) in a specific use case.

    • CVSS Score: 7.5 (High)
    • Published on: 11th December, 2025
    • Description: It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Original POC by Lachlan Davidson - React2Shell-CVE-2025-55182-original-poc

Affected Packages

  1. Next.js - All versions from 15.0.0 through 16.0.6, as well as Next.js 14 canaries after 14.3.0-canary.76.
  2. react-server-dom-webpack - 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.2.0, 19.2.1, 19.2.2
  3. react-server-dom-parcel - 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.2.0, 19.2.1, 19.2.2
  4. react-server-dom-turbopack - 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.2.0, 19.2.1, 19.2.2
  5. @vitejs/plugin-rsc - upgrade to latest

If you are using React Router's unstable RSC APIs, Redwood SDK, or Waku, then you should definitely check and upgrade the above packages to their latest patched versions.

If you are still unsure if your application contains these vulnerable packages or not, you can always use a vulnerability scanner or open source npm packages which detect those packages in your application. Two of such open source packages are:

Conclusion

The only way to get rid off these React2Shell vulnerabilities is to upgrade the vulnerable packages in your application to their latest patched versions. This is still a developing story where hope not, but new vulnerabilities might emerge, so keep an eye on this space for a while.

Related posts ✍️

Google's Gemini 3 Pro, Nano Banana Pro, and Antigravity

Previous