Summary
A critical vulnerability (CVE-2025-55182) has been identified in the JavaScript library React, and several React-based frameworks and bundlers such as Next.js. This vulnerability has been given the maximum CVSS base score of 10.0 (Critical) and allows remote code execution enabling an attacker to take full control over the system.
Threat Description
- This vulnerability allows for unauthenticated remote code execution (RCE) on the server through insecure deserialisation. Exploitation requires only a crafted HTTP request. Due to the high severity and the ease of exploitation, immediate patching is required.
- The threat was first disclosed by the React team on 3rd December 2025 after an external security researcher reported their finding on 29th November 2025.
- Any framework or libraries using the affected
react-server-dom-* packages are likely affected as the vulnerability is present in default configurations. This includes popular libraries such as Next.js, Vite RSC plugin, Parcel RSC plugin, React Router TSC preview, RedwoodSDK, Waku.
- A high fidelity proof-of-concept exploit has been developed. This was initially withheld to allow vendors time to develop patches, but details of the exploit have now been made public. State-sponsored exploitation campaigns of this vulnerability have been reported by threat intelligence organisations.
- The vulnerability was being tracked as two separate CVEs: CVE-2025-55182 (React) and CVE-2025-66478 (Next.js). This is because Next.js does not include React as a traditional dependency; instead, they bundle it "vendored”. CVE-2025-66478 has now been marked as a duplicate by NIST but is still being used within the community to reference the Next.js vulnerability specifically.
- The reliability of some scanners and vulnerability aggregators is at this point questionable, with many tools reported to be producing false negatives. Patching affected versions is the only reliable definitive mitigation at this time.
Applicability
This threat could affect any organisation who uses versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
This threat also affects Next.js 15.x and 16.x when using App Router. It also affects organisations using any of the 14.3 canary builds.
If your React code does not use React server-components, your app is not currently known to be affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React server-components, your app is not currently known to be affected by this vulnerability.
Relevance to the supply chain
Due to the popularity and widespread use of the affected web application frameworks, combined with the low complexity of exploitation, it is likely that in-the-wild exploitation may increase in coming days and weeks. If this is the case, widespread disruption and breaches are possible. It is imperative for organisations to understand their own exposure and that of their supply chain to work together to ensure that appropriate remediation is actioned swiftly to prevent wider impact.
What should you do about it
Affected vulnerable software should be updated to the fixed versions without delay.
- Update affected versions of React server-components:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack to versions 19.0.1, 19.1.2, and 19.2.1.
- Update affected versions of Next.js to one of the following patched stable versions
15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7 . Organisations running experimental canary releases should downgrade to a 14.x stable release or 14.3.0-canary.76.
- For other libraries and frameworks using the affected React server-components packages (e.g. Redwood, Waku etc.), check their official channels for information regarding patches and apply updates without delay.
Where to find more information
This is an evolving situation. You can keep up to date with the latest information on this threat by referring to the advisories from the affected vendors:
React advisory
Next advisory
NIST CVE-2025-55182
To understand how your supply chain is affected by React2Shell, create your free account on Risk Ledger. You can find out more about how the Emerging Threats feature on Risk Ledger works here.
