A critical security vulnerability in React Server Components is putting millions of web applications at immediate risk, with security researchers warning that attackers can execute arbitrary code without authentication.
The flaw, designated CVE-2025-55182 and nicknamed "React2Shell," carries the maximum severity score of 10.0 on the CVSS scale. New Zealand security researcher Lachlan Davidson discovered and responsibly disclosed the vulnerability to Meta on November 29, triggering an emergency response across the JavaScript ecosystem.
The vulnerability affects React versions 19.0 through 19.2.0 and stems from unsafe deserialization of payloads sent to React Server Function endpoints. What makes this particularly dangerous is that applications remain vulnerable even if they don't explicitly use Server Functions—simply supporting React Server Components is enough.
"The system executes the malicious payload with the same reliability as legitimate code because it operates exactly as intended, but on malicious input," explained Justin Moore, senior manager of threat intelligence at Palo Alto Networks Unit 42, who identified over 968,000 potentially vulnerable servers.
The impact extends far beyond React itself. Popular frameworks including Next.js (CVE-2025-66478), React Router, Expo, Waku, and RedwoodJS are all affected. According to the State of JavaScript survey, React powers 82% of JavaScript projects, making this one of the most widespread vulnerabilities in recent memory.
Cloud security firm Wiz reports that 39% of cloud environments contain instances vulnerable to React2Shell. Major hosting providers including Vercel and Cloudflare have deployed temporary Web Application Firewall rules to protect customers, though these should not replace immediate patching.
Patches are now available: React users should upgrade to versions 19.0.1, 19.1.2, or 19.2.1. Next.js users must update to their corresponding patched releases (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7). The React Team emphasizes that while no confirmed in-the-wild exploitation has been reported, unconfirmed reports are circulating.
Security experts are urging immediate action, warning that public proof-of-concept exploits could emerge at any moment, potentially triggering widespread attacks against the massive installed base of React applications.