AIPaths Academy
•December 9, 2025
•5 min read
React2Shell: Critical Next.js Vulnerability You Need to Patch Now
securitynextjsreactnewsweb-development
Table of Contents(7 sections)
On This Page
React2Shell: Critical Next.js Vulnerability You Need to Patch Now
A critical security vulnerability called React2Shell (CVE-2025-55182) has been discovered in React Server Components, affecting Next.js versions 15 through 16. If you're running a Next.js application in production, you need to check your version and patch immediately.
This isn't a theoretical risk—the vulnerability allows remote code execution through specially crafted requests. Your servers could be compromised.
What you'll learn:
- What React2Shell is and why it's critical
- How to check if your application is affected
- Step-by-step remediation guide
- Additional security measures to implement
Time to read: 5 minutes Urgency: High - patch immediately if affected
What Is React2Shell?
React2Shell (CVE-2025-55182) is a critical vulnerability in React Server Components that enables remote code execution (RCE) under specific conditions. Attackers can send specially crafted requests that bypass intended security boundaries, potentially gaining full control of your server.
Why This Is Serious
Remote code execution is one of the most severe vulnerability types. An attacker exploiting React2Shell could:
- Execute arbitrary commands on your server
- Access environment variables including API keys and database credentials
- Read and modify files on your system
- Pivot to other systems in your infrastructure
- Exfiltrate sensitive data from your application
The vulnerability affects React Server Components broadly, meaning any framework using them could be at risk.
Affected Versions
| Framework | Affected Versions |
|---|---|
| Next.js | 15.0.0 through 16.0.6 |
| Next.js Canaries | 14.3.0-canary.76 and later |
The following packages are also affected:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Safe versions: Next.js 15.3.6+ and 16.0.7+
How to Check If You're Affected
Method 1: Browser Console
Load your application and open the browser developer tools. In the console, run:
next.version
This will output your Next.js version.
Method 2: Check package.json
Look at your package.json file:
{
"dependencies": {
"next": "15.2.3" // Check this version
}
}
If your version falls within the affected range (15.0.0 - 16.0.6), you need to patch immediately.
Method 3: Vercel Dashboard
If you're deployed on Vercel, check your dashboard. Affected production deployments will display a warning banner alerting you to the vulnerability.
Method 4: CLI Check
Run this command in your project directory:
npm list next
Or for yarn:
yarn why next
Remediation Steps
Step 1: Upgrade Next.js
The fastest fix is upgrading to a patched version.
Using npm:
npm install next@15.3.6
Using yarn:
yarn add next@15.3.6
Using the automated fix tool:
npx fix-react2shell-next
This tool automatically updates your Next.js version and related dependencies.
Step 2: Test Your Application
Before deploying, verify your application works correctly:
npm run build
npm run start
Run your test suite to catch any breaking changes:
npm test
Step 3: Deploy Immediately
Once tests pass, deploy to production as soon as possible:
# For Vercel
vercel --prod
# For other platforms
npm run build && npm run deploy
Every minute your unpatched application is live is a window for potential exploitation.
Step 4: Rotate All Secrets
This step is critical. If your application was exposed while vulnerable, assume your secrets may have been compromised:
- Rotate API keys - regenerate all third-party API keys
- Change database credentials - update database passwords
- Rotate JWT secrets - invalidate existing tokens
- Update OAuth credentials - regenerate client secrets
- Change encryption keys - if you use custom encryption
Update your environment variables in all environments (development, staging, production).
Step 5: Audit Access Logs
Review your server logs for suspicious activity:
- Unusual POST requests to Server Component endpoints
- Unexpected function timeouts
- Error patterns indicating exploitation attempts
- Requests from unexpected IP ranges
Additional Security Measures
Enable Vercel WAF Rules
If you're on Vercel, enable Web Application Firewall rules. Vercel has deployed specific rules to detect and block known React2Shell exploit patterns.
Review Shareable Links
Audit any preview deployment links you've shared. These could have been exposed to the vulnerability as well.
Enable Standard Protection
For non-production deployments, enable Vercel's Standard Protection to add an extra layer of security.
Monitor for Indicators of Compromise
Set up alerts for:
- New user accounts you didn't create
- Unexpected outbound network connections
- Modified files in your deployment
- Unusual resource usage patterns
Conclusion
React2Shell is a serious vulnerability that requires immediate action. Don't delay patching—the exploitation risk is real and the fix is straightforward.
Key takeaways:
- Upgrade to Next.js 15.3.6+ or 16.0.7+ immediately
- Rotate all application secrets after patching
- Monitor logs for signs of exploitation
- Enable additional security measures like WAF rules
What's Next?
- Check your version right now - don't finish this article first
- Patch and deploy within the hour if you're affected
- Rotate secrets even if you're unsure about exposure
- Share this with your team - they may have affected projects too
Further Reading
- Vercel Security Bulletin - React2Shell
- Next.js Security Advisories
- React Server Components Documentation
Is your team affected? Share this post to help others patch quickly. Security is a community effort.
Questions about the vulnerability? Open an issue on GitHub and we'll help clarify.
Was this helpful?
Share this content
0comments