Urgent Patch Required: React2Shell Vulnerability in React and Next.js

React & Next.js security gap: Recognizing risks and protecting systems

React and frameworks based on it, such as Next.js, have become indispensable in modern web development. They form the technological basis for numerous single-page applications, company portals, e-commerce sites and cloud applications. However, a critical security vulnerability was recently discovered in React Server Components, which poses a significant risk to server-side applications. Golem.de+1

What is the React2Shell vulnerability?

The vulnerability, which became known as "React2Shell" (CVE-2025-55182), affects the React Server Components (RSC) and thus all systems that use server rendering or server-side components. Security researchers rate the vulnerability with the highest possible severity on the CVSS scale (10.0), as attackers can achieve remote code execution (RCE) without authentication. gopher.security+1

In concrete terms, this means that a specially crafted HTTP request in vulnerable server environments can lead to foreign code being executed on the server - with all the potential consequences from data loss and system takeovers to persistent malware installation. security.berkeley.edu

Why does this affect so many systems?

React and Next.js are widely used by startups and large enterprises alike. Estimates show that up to 39% of all cloud environments contain applications running the affected versions. Golem.de

As many projects use the standard configuration, the vulnerabilities often take effect without any additional conditions. Frameworks that implement the RSC "Flight" protocol are particularly affected - including Next.js as well as various build tools and Bundler plugins. react.dev

Specific risks for companies

An unavoidable attack on this vulnerability can mean the following:

• Remote Code Execution - Attackers can execute arbitrary code on the server. HackerOne

• Data Compromise - Access to databases, user information or internal APIs.

• System takeover - Persistent control over your infrastructure.

• Reputational and operational damage - downtime, loss of customers or legal consequences.

What can you do now?

1. apply updates immediately
Both React (Server Components) and Next.js have already released patched versions. The affected React packages have been fixed in versions such as 19.0.1, 19.1.2 or 19.2.1; Next.js has made patched releases available. react.dev

2. check apps and frameworks
Check your systems to see if React Server Components or Next.js App Router are used in affected versions. Also check dependent tools such as Bundler plugins (e.g. Vite RSC, Parcel).

3. keep security increased
Deploy web application firewalls (WAF), increase logging and monitoring, and consider network policies to temporarily reduce attack surfaces until the update is implemented. security.berkeley.edu

4. have contingency plans ready
If an incident has already occurred, assume a possible compromise: Redeployment, credential rotation, extensive forensics and incident response are then necessary.

Conclusion: Security is not a "nice-to-have"

The React2Shell vulnerability shows once again that even modern frameworks can be critically vulnerable - and that regular updates, monitoring and systematic management of dependencies are absolutely essential. For companies with cloud-based front-ends or server-side components, a quick patch is not only recommended, but essential to protect data, systems and business continuity.

If you have any questions about assessing your landscape, minimizing risk or professionally implementing patches and security controls, please contact us.

Sources and further links

• Critical security vulnerability in React Server Components and Next.js - Golem.de Golem.de

• Details on React2Shell vulnerability and recommended measures gopher.security

• Security updates and patch information (React/Next.js)