Security Updates

React2Shell (CVE-2025-55182): Why the video says you should update React/Next.js immediately

The video discusses a critical security vulnerability in React Server Components (RSC), known as React2Shell (CVE-2025-55182), which is an unauthenticated remote code execution flaw that can let attackers execute code on the server.

Published: Jun 16, 2026Updated: Jun 16, 2026Reading time: 6 minViews: 0
ReactNext.jsCVE-2025-55182securityReact Server Components

💡Key Takeaways

  • The video discusses a critical security vulnerability in React Server Components (RSC), known as React2Shell (CVE-2025-55182), which is an unauthenticated remote code execution flaw that can let attackers execute code on the server.

Opening frame about React2Shell

Image source: frame extracted from the user-uploaded video snaptik.vn_7580000932474178836.mp4, near the beginning. The frame illustrates the warning to update React/Next.js immediately.

Short summary

The video is about a highly critical security vulnerability in React Server Components (RSC), commonly referred to as React2Shell, tracked as CVE-2025-55182. According to React’s official advisory, this is an unauthenticated remote code execution (RCE) vulnerability. In the right conditions, an attacker can send a specially crafted request and cause the server to execute unintended code.[1][2]

What the video gets right is the most important operational point: if your application uses React Server Components or Next.js App Router, you should update immediately. React states that the affected packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in React 19.0.0, 19.1.0, 19.1.1, and 19.2.0.[1]


What is the video actually talking about?

In plain language, the video is describing this kind of story:

  • React and Next.js now do much more work on the server.
  • React Server Components rely on a transport and decoding mechanism between client and server.
  • That mechanism contained a severe payload-handling flaw.
  • If a malicious payload is crafted carefully enough, the server may process it in a dangerous way.

The NVD describes the root issue at a high level as unsafe deserialization of payloads from HTTP requests sent to Server Function endpoints.[2]


A simple story version

Imagine a front desk clerk whose job is only to receive forms and route them to the right department.

Normally, the clerk reads the form, recognizes what it is, and forwards it safely.

But now imagine a serious process flaw: instead of merely reading the form, the clerk can accidentally obey hidden instructions inside it.

That is why React2Shell is so dangerous.

The application thinks it is just receiving a normal request, but a specially crafted request may push the server into behavior it should never perform. That is why React characterizes the issue as unauthenticated remote code execution.[1]


Frame showing update instructions

Image source: frame extracted from the user-uploaded video snaptik.vn_7580000932474178836.mp4, around the middle of the clip. The frame illustrates the part of the video that points viewers toward update instructions.

Why is this such a big deal?

There are four major reasons.

1. The severity is extremely high

React disclosed CVE-2025-55182 with a CVSS 10.0 score, which is the maximum severity in many common scoring systems.[1]

2. No prior authentication is required

This is not the kind of bug that requires an admin account or insider access first. React explicitly describes it as unauthenticated RCE.[1]

3. It affects a large ecosystem

React says the impact is not limited to the core packages alone. Frameworks and bundlers that depend on this mechanism are also affected, including Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and RedwoodSDK.[1]

4. Temporary mitigations are not enough

React notes that it worked with some hosting providers on temporary mitigations, but it also says developers should not depend on those mitigations instead of patching.[1]


Who should worry most?

You should check immediately if you are in one of these groups:

  • You use Next.js App Router.
  • You use React Server Components.
  • You use any of the affected react-server-dom-* packages.
  • You use a framework or bundler with RSC support.
  • You run public-facing production systems on React 19 with modern server-side React features.

By contrast, React also makes an important clarification: if your React code does not use a server, or if it does not use a framework, bundler, or plugin that supports React Server Components, then you are not affected by this vulnerability.[1]


How does this affect Next.js?

According to Next.js, applications using the App Router together with React Server Components are affected. In its follow-up advisory, Next.js also covered additional RSC-related issues such as CVE-2025-55183 (source code exposure in certain conditions) and CVE-2025-55184 / CVE-2025-67779 (DoS), while making clear that the React2Shell patch still needs to be applied.[3]

Next.js also says:

  • Pages Router applications are not directly affected, but upgrading to a patched version is still recommended.[3]
  • There is no reliable workaround; upgrading is required.[3]

What should you do right now?

If you use React

React requires immediate upgrades to the fixed versions of the affected packages. In the original advisory, React published the initial fixed branches, and the update instructions in the same advisory were later revised again as additional related CVEs were addressed.[1][4]

If you use Next.js

Do not rely only on the version numbers shown in the video, because patch guidance may change as follow-up advisories are published. In the React advisory’s updated instructions (updated January 26, 2026), the current guidance says Next.js users should move to the latest patched release in their own release line, such as 14.2.35, 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 16.0.11, 16.1.5, or the appropriate canary versions.[4]

A practical response checklist

  1. Inventory which applications use RSC / App Router.
  2. Check react, react-dom, next, and react-server-dom-* versions.
  3. Upgrade according to the latest official guidance.
  4. Redeploy production.
  5. Review logs for suspicious activity during the exposure window.
  6. If compromise is suspected, consider rotating secrets/tokens and investigating further.

Frame illustrating a malicious request concept

Image source: frame extracted from the user-uploaded video snaptik.vn_7580000932474178836.mp4, later in the demo section. The frame is included only as a conceptual illustration of the risk posed by malicious requests, not as official exploit documentation.

What does the video get right, and what needs careful interpretation?

What the video gets right

  • This is a serious issue.
  • Modern React/Next.js applications can be affected.
  • Teams should patch immediately.
  • This should not be dismissed as a merely theoretical bug.

What needs more careful interpretation

  • Not every React application is affected. React explicitly says only the relevant server-side RSC usage is in scope.[1]
  • The version numbers shown in the video may represent a snapshot in time. For real remediation, teams should always follow the latest vendor advisories.[3][4]
  • The demo conveys the danger well, but real-world assessment still requires checking the actual framework versions, routing model, packages, and deployment architecture of each application.

Conclusion

If you reduce the entire video to one sentence, it is this:

This is not a minor front-end bug; it is a major server-side vulnerability in the React/Next.js ecosystem, and delaying updates is risky.

The video is useful because it reminds viewers that React is no longer “just UI.” Once React and Next.js move deeper into server-side rendering, server components, and server functions, protocol and logic bugs can have consequences as serious as classic backend vulnerabilities.


Sources

[1] React Team — Critical Security Vulnerability in React Server Components
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

[2] NVD — CVE-2025-55182
https://nvd.nist.gov/vuln/detail/CVE-2025-55182

[3] Next.js — Next.js Security Update: December 11, 2025
https://nextjs.org/blog/security-update-2025-12-11

[4] React Team — Update Instructions section in the same React advisory (updated Jan 26, 2026)
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

[5] Canadian Centre for Cyber Security — React security advisory (AV25-804) – Update 1
https://www.cyber.gc.ca/en/alerts-advisories/react-security-advisories-av25-804

PR

Written by PixelRouter Editorial Team

We publish deep, authoritative guides on AI infrastructure, API gateway security, cloud financial management, and system optimizations for developers.

FAQ

What is the React2Shell vulnerability (CVE‑2025‑55182)?

React2Shell is an unauthenticated remote code execution (RCE) vulnerability in React Server Components. It allows an attacker to send a specially crafted request that can execute arbitrary code on the server.

How severe is CVE‑2025‑55182?

The vulnerability is rated with a CVSS 10.0 score, which is the maximum severity level.

Which packages and frameworks are affected?

Affected packages include `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` in React 19.0.0, 19.1.0, 19.1.1, and 19.2.0. Frameworks and bundlers that depend on these packages—such as Next.js (App Router), React Router, Waku, `@parcel/rsc`, `@vitejs/plugin-rsc`, and RedwoodSDK—are also impacted.

Who should worry most about this issue?

Developers using Next.js App Router, React Server Components, any of the affected `react-server-dom-*` packages, or any framework/bundler that supports React Server Components should act immediately. Public‑facing production systems running React 19 with server‑side features are also at risk.

What should developers do right now?

1. Inventory applications that use RSC or the App Router. 2. Check the versions of `react`, `react-dom`, `next`, and `react-server-dom-*`. 3. Upgrade to the latest patched releases for those packages. 4. Redeploy the updated code. 5. Review logs for suspicious activity and rotate secrets if compromise is suspected. Upgrading is the only reliable mitigation; no consistent workaround exists.