On December 3, 2025, a critical vulnerability in the React Server Components and the subsequent Next.js Framework was published. The vulnerability allows a Remote Code Execution (RCE), i.e. the execution of arbitrary code on affected servers, potentially impacting thousands of global web applications. React2Shell is particularly dangerous as it can be exploited unauthenticated and remotely.
Approximately 40% of all cloud environments could be affected. be.
Today, just two days later, there was a massive global outage at Cloudflare. Services like LinkedIn, Zoom, Anthropic and many others were temporarily unavailable. The reason: Cloudflare had deactivated internal logging functions in order to respond to the React security vulnerability. This led to a domino effect within their infrastructure.
The vulnerability has been nicknamed „React2Shell“ by security researchers and platforms such as Wiz.io the nickname „React2Shell“. The CVSS score is 10.0, which indicates the highest possible criticality.
React Server Components (RSC) enable server-side rendering of React components. An internal transfer protocol called „Flight“ is used for this. Security researchers discovered that attackers can trigger insecure deserialization processes via manipulated payloads. The result: any code can be executed on the target server.
The following React packages are particularly affected:
Especially versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0 of these packages are affected. The official CVE ID for React is CVE-2025-55182.
Since the popular web framework Next.js version 13 onwards relies on React Server Components (RSC) by default, many Next.js applications are also vulnerable. The Next.js vulnerability has been published separately as CVE-2025-66478. conducted.
In particular, all versions with activated App Router, especially from the major versions 15.x and 16.x. Experimental „Canary“ releases are also affected.
The Next.js maintainers explicitly warn against relying on configuration settings, as there is no switch to deactivate of the dangerous behavior. An update is inevitable.
The vulnerability allows attackers to execute arbitrary code on the server - without authentication. This can trigger the following scenarios:
This is particularly critical for publicly accessible SaaS platforms, web portals, API gateways and customer front-ends.
In addition to React and Next.js, other frameworks and toolchains may also be affected if they use React Server Components. These include:
If your systems are affected largely depends on whether React RSC functionalities or frameworks based on them are used in production.
The React and Next.js teams have already published Security updates: published:
Recommended measures:
1. Carry out an inventory of your web applications
2. Identify affected React and Next.js versions
3. Update to the patched versions
4. Check server logs for suspicious activity (e.g. unusual POST payloads)
5. Add additional protection mechanisms: e.g. web application firewalls (WAF), IDS/IPS
With the External Attack Surface Management from LocateRisk companies automatically detect whether publicly accessible systems are affected by known vulnerabilities, such as CVE-2025-55182. are affected.
The platform scans your external attack surface and informs you about new CVEs, potential attack vectors and configuration errors. Essential response time to critical vulnerabilities such as React2Shell can thus be drastically reduced.
Thanks to integrated prioritization, risk assessment and automated reports, IT teams and management always have an overview. Even in exceptional situations.
English 
Deutsch 
Français