Codenamed React2shell, CVE-2025-55182 is rated CVSS 10.0 (Critical) and affects the server-side part of React known as React Server Components (RSC).
At its core, the vulnerability stems from unsafe deserialization: React decodes payloads sent to “Server Function” endpoints but fails to validate untrusted data properly. An attacker can therefore send a crafted HTTP request and, without prior authentication, trigger remote code execution (RCE) on the server.
The vulnerability impacts these React-RSC packages on versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0:
Because many frameworks and bundlers rely on these packages, the issue spreads beyond React itself. Confirmed affected ecosystems include Next.js (via App Router), as well as tools such as React Router (RSC APIs), Waku, RSC plugins for Vite and Parcel, and Redwood SDK.
Any web application using React Server Components - including many default or minimal installations of Next.js - may be vulnerable, even if developers have not explicitly defined Server Function endpoints. Successful exploitation enables attackers to execute arbitrary code on the server, potentially compromising data, modifying system state, or facilitating lateral pivoting.
Users should upgrade the affected packages to versions 19.0.1, 19.1.2, or 19.2.1. For Next.js users, patched versions include:
The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.
Frameworks and bundlers that depend on React-RSC packages should likewise be updated to include the patched dependencies.
Holm Security is working on plugins to scan for these vulnerabilities.
If you have any questions, don't hesitate to reach out.