CVE-2025-55182 - Your Quick Patch for React2Shell Guide
You’re building a cool web app with React, one of the most popular tools out there. Millions of sites use it, including big ones with Next.js. Recently, a critical security vulnerability called React2Shell (CVE-2025-55182) hit the headlines, scoring a perfect 10/10 on the danger scale.
It involves how React handles data in Server Components, potentially allowing attackers to run unauthorized code on your server. While patches were released quickly, many apps remained vulnerable in the hours and days following the disclosure.
Although this article comes a few weeks after the initial December 3rd disclosure, the risk remains for any unpatched systems. If you haven’t updated yet, now is the time.
In this article, I’ll explain what React2Shell really is, who it affects, how attackers use it, and – most importantly – what you need to do right now to stay safe.
What is React2Shell?
React2Shell is the nickname for a very serious security bug in React, officially called CVE-2025-55182.
In simple words: it lets hackers run any code they want on your server, just by sending a special request from the internet. They don’t need a username, password, or any permission. This is called remote code execution, or RCE, and it’s one of the worst kinds of vulnerabilities.
The problem is in a feature called React Server Components (RSC). These are parts of your React app that run on the server instead of in the user’s browser. Many modern apps – especially those built with Next.js – use them because they make websites faster and better for SEO.
React uses something called the “Flight” protocol to send data between the browser and the server. When the browser sends information back (like form data or actions), the server has to read and trust that information. The bug is here: React was too trusting and didn’t check the data properly. A hacker can hide bad code inside that data, and when the server reads it, the bad code runs.
That’s why it’s called React2Shell – because attackers can quickly turn a normal React app into a “shell” they control, just like having full access to the server.
This bug got a danger score of 10.0 out of 10.0 – the highest possible – because it’s easy to use, works from anywhere, and gives complete control.
It mainly affects:
- React version 19 (some releases)
- Next.js versions 15 and 16 that use the App Router
- Other frameworks that use React Server Components, like Waku or Remix
If your app is pure client-side React (no server components), you’re safe. However, since most modern frameworks use them by default, it’s worth double-checking.
How to Check If You’re Affected
The bug lives in the specific npm packages that handle the server part of RSC:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Many frameworks like Next.js pull these in automatically.
Here’s how to check quickly:
- Go to your project folder in the terminal.
- Run this command to list any of those packages:
npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopackIf it shows nothing or says “empty”, great – you probably don’t have them, so you’re not affected.
If it lists versions like 19.0.0, 19.1.0, 19.1.1, or 19.2.0 – you’re vulnerable and need to update right away.
If you’re using Next.js (most common case), also check your Next.js version:
npm ls nextVulnerable Next.js versions include most of 15.x and 16.x before the patches (like 15.0.0 to 15. something low, or 16.0.0 to 16.0.6).
If you use tools like npm audit, GitHub Dependabot, or Snyk, they should flag this CVE too.
Bottom line: Run that npm ls command first. If those react-server-dom-* packages show up in bad versions, patch now – we’ll cover how in the next section!
How to Fix React2Shell
Good news: The fix is simple and straightforward – just update your packages to the patched versions. The React and Next.js teams released fixes on the same day the bug was announced (December 3, 2025), and there have been a few follow-up patches for related issues.
The best and easiest way, especially if you’re using Next.js (which most people are), is to use a free tool made by Vercel.
Quick Fix for Next.js Apps (Recommended)
In your project folder, open the terminal and run:
npx fix-react2shell-next@latestThat’s it! This tool will:
- Scan your whole project (even if it’s a big monorepo with many package.json files)
- Check for vulnerable versions of Next.js and the react-server-dom-* packages
- Tell you what’s wrong
- Ask if you want to fix it automatically
- Update your package.json files to safe versions
- Refresh your lockfile (works with npm, yarn, pnpm, or bun)
It bumps to the exact patched versions recommended by the official advisories, including the latest ones for the extra bugs found later (like denial of service and source code leaks).
After it finishes, run your normal install command (like npm install or pnpm install), test your app, commit the changes, and redeploy.
If You’re Not Using Next.js (Pure React or Other Frameworks)
Update these packages manually in your package.json:
react-server-dom-webpack- Should be 19.0.3 or higherreact-server-dom-parcel- Should be 19.1.4 or higherreact-server-dom-turbopack- Should be 19.2.3 or higherreact/react-dom- if they’re direct dependencies
Then run your package manager install command.
You can check the official React blog for the exact list.
After Patching
- Redeploy your app - The fix only works on the new version running on your server.
- Rotate secrets - If your app was online and vulnerable before you patched (especially before early December), assume hackers might have gotten in. Change all important secrets like database passwords, API keys, JWT secrets, etc.
- Extra protection - If you’re on Vercel, AWS, Cloudflare, or similar, they might have automatic blocks (WAF rules) for known attacks. But patching is the only full fix.
That’s all! Updating takes just minutes, and it stops the danger completely. If you run into any issues, check the React or Next.js docs – they’re super clear on this. Stay safe out there!
