![Holm Security Yellow.png]](https://support.holmsecurity.com/hs-fs/hubfs/Holm%20Security%20logos/Holm%20Security%20Yellow.png?height=40&name=Holm%20Security%20Yellow.png){kind=small}
React2shell exposes servers to remote code execution
Codenamed React2shell, CVE-2025-55182 is rated CVSS 10.0 (Critical) and affects the server-side part of React known as React Server Components (RSC).
How the vulnerability works
At its core, the vulnerability stems from unsafe deserialization: React decodes payloads sent to “Server Function” endpoints but fails to validate untrusted data properly. An attacker can therefore send a crafted HTTP request and, without prior authentication, trigger remote code execution (RCE) on the server.
The vulnerability impacts these React-RSC packages on versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Why this is so dangerous
Because many frameworks and bundlers rely on these packages, the issue spreads beyond React itself. Confirmed affected ecosystems include Next.js (via App Router), as well as tools such as React Router (RSC APIs), Waku, RSC plugins for Vite and Parcel, and Redwood SDK.
Any web application using React Server Components - including many default or minimal installations of Next.js - may be vulnerable, even if developers have not explicitly defined Server Function endpoints. Successful exploitation enables attackers to execute arbitrary code on the server, potentially compromising data, modifying system state, or facilitating lateral pivoting.
Mitigation and next steps
Users should upgrade the affected packages to versions 19.0.1, 19.1.2, or 19.2.1. For Next.js users, patched versions include:
- 15.0.5
- 15.1.9
- 15.2.6,
- 15.3.6
- 15.4.8
- 15.5.7
- 16.0.7
The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.
Frameworks and bundlers that depend on React-RSC packages should likewise be updated to include the patched dependencies.
Holm Security's response
Holm Security is working on plugins to scan for these vulnerabilities.
Scan for specific vulnerabilities
Read how you can include or exclude a specific vulnerability in a scan profile here.