React 19, Next.js Patch Critical Vulnerability

The vulnerability, identified as CVE-2025-55182, was a critical flaw in how React Server Components handled data from the client. This issue stemmed from unsafe deserialization, allowing a specially crafted request to be misinterpreted by the server, leading to potential remote code execution. Dubbed "React2Shell" by security researchers, the flaw carried the highest possible severity rating of CVSS 10.0. This was due to the fact that it could be exploited by an unauthenticated attacker with a single crafted HTTP request, requiring no user interaction or prior access. [The vulnerability wasn't](https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG08u0-U8HpIho-fSORfdmIwqPjnE2BPZrCJ0LPjah3zPZTtGGKk5wdZhN9SnQJf1mhYqWv5XIvioNauJBggwDqjPQPTnfkUjMMfRbd2S8r2jEJ79owES9DhwZklQk4xCA7UNDxIJmzWBwZ5VyWjeHjIbGCYpTg-Df2Q3PfkSgp283c4ZAB6RQy8gKS-vCJZWLf3LetMt_Qh_y6LODwjFh4JiG-VkrC9XmV4VRp_nR46azhgIFMdxZ9rBh1) just theoretical; active exploitation was observed in the wild shortly after its disclosure. Security firms reported seeing attackers scan for vulnerable systems, attempting to steal cloud credentials and install cryptocurrency mining malware. This particular security issue affected React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. Consequently, frameworks that utilize React Server Components, most notably Next.js versions 15 and 16, were also vulnerable. The vulnerability was privately reported by security researcher Lachlan Davidson on November 29, 2025. In response, the React team, in coordination with framework maintainers, issued patches on December 3, 2025, to address the critical issue. For developers using Next.js, a command-line tool was released to simplify the patching process: `npx fix-react2shell-next`. Following the patch, developers were strongly advised to rotate any secrets and environment variables their applications were using as a precautionary measure.