The React team just dropped a massive security update regarding a critical Remote Code Execution (RCE) vulnerability in React Server Components (RSC). Officially tracked as CVE-2025-55182 (and currently hitting the community under the nickname “React2Shell”), this issue has been rated a CVSS 10.0.
If you are running an app with React Server Components, you need to patch immediately.
What is the vulnerability?
On December 3rd, 2025, the React team disclosed an unauthenticated RCE flaw. The issue lies in how React deserializes payloads sent to Server Function endpoints.
Technically, React Server Functions allow a client to trigger a function on the server. React translates that client-side request into an HTTP request, which the server decodes and executes. The vulnerability allows an attacker to craft a malicious HTTP request that, when deserialized by React on the server, executes arbitrary code.
Here is the important part: You might be vulnerable even if you aren’t actively writing Server Functions. If your application relies on a framework or bundler that simply supports React Server Components (like Next.js, Waku, or specific bundler plugins), the attack surface exists.The vulnerability affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
How to Fix It
The fix was rolled out in versions 19.0.1, 19.1.2, and 19.2.1. The remediation depends on your framework.
Next.js
Most users will likely be patching via Next.js. You need to upgrade to the latest patch version for your release line.
Run the install command matching your major/minor version:
# Next.js 15.0.x
npm install next@15.0.5
# Next.js 15.1.x
npm install next@15.1.9
# Next.js 15.2.x
npm install next@15.2.6
# Next.js 15.3.x
npm install next@15.3.6
# Next.js 15.4.x
npm install next@15.4.8
# Next.js 15.5.x
npm install next@15.5.7
# Next.js 16.0.x
npm install next@16.0.7If you are using a Canary release (v14.3.0-canary.77 or later), you must downgrade to the stable v14 release:
npm install next@14Other Frameworks & Manual Setups
If you are using React Router, Waku, or a manual setup using the react-server-dom packages, you need to pull the latest core packages.
General / Manual Setup:
npm install react@latest react-dom@latest react-server-dom-webpack@latest(Note: Swap webpack for parcel or turbopack if that is what your bundler uses).
React Router: Upgrade your react, react-dom, and @vitejs/plugin-rsc packages to @latest.
RedwoodJS: Ensure you are on rwsdk version 1.0.0-alpha.0 or higher, or just grab the latest beta.
Summary
This vulnerability was reported by Lachlan Davidson via the Meta Bug Bounty program on November 29th. While some hosting providers have implemented temporary mitigations at the infrastructure level, you cannot rely on those forever. This is a code-level serialization issue, and the only safe path forward is updating your dependencies today.
Check your package.json, run your updates, and deploy.
