React2Shell CVE-2025-55182: Patch, Verify, Prevent

React2Shell is a maximum‑severity remote code execution flaw in React Server Components (RSC). It hit on December 3, 2025, with CVE‑2025‑55182 and patches for the affected RSC packages, then a week later more issues surfaced that required yet another round of updates. If you ship React 19 with Server Components—or a framework that implements RSC like Next.js App Router—this is the time to patch, verify, and prove you’re safe. (react.dev)

What exactly broke in React Server Components?

The root problem was unsafe deserialization in RSC: the server accepted crafted payloads that RSC decoded and executed in ways the authors never intended. The affected packages were react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack at versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. Patched versions are 19.0.1, 19.1.2, and 19.2.1. That’s the baseline you must hit in any stack embedding RSC. (react.dev)

Downstream, Next.js tracked the impact as CVE‑2025‑66478 and released targeted fixed releases for each minor. If you’re on 15.x, the first fixed set was 15.0.5 / 15.1.9 / 15.2.6 / 15.3.6 / 15.4.8 / 15.5.7 (or 15.6.0‑canary.58), and for 16.x the first fixed was 16.0.7 (or 16.1.0‑canary.12). Later, follow‑on vulnerabilities required moving again—more on that below. (nextjs.org)

Is React2Shell being exploited?

Yes. Microsoft observed exploitation beginning December 5, 2025, including post‑exploitation activity like reverse shells, cryptominers, and attempts to harvest cloud credentials. NVD now flags CVE‑2025‑55182 as present in CISA’s Known Exploited Vulnerabilities catalog with a December 12, 2025 due date for U.S. federal agencies—an unambiguous signal to prioritize. (microsoft.com)

Independent advisories and threat‑intel shops have reported broad scanning and reliable proof‑of‑concepts. If you were exposed and internet‑facing between December 3–6, assume adversaries tried. Rotate secrets after patching; Next.js explicitly advised rotation if an app was online and unpatched as of December 4, 2025 at 1:00 PM PT. (nextjs.org)

React2Shell, then two more: why you likely need to patch again

Security research after the RCE patch revealed two additional RSC issues: a Denial of Service (CVE‑2025‑55184) and a Source Code Exposure (CVE‑2025‑55183). The initial DoS fix turned out incomplete, prompting a further patch tracked as CVE‑2025‑67779. Translation: even if you rushed the first updates, you probably need to update again to the newer fixed versions. (react.dev)

Next.js published specific target versions for those follow‑on fixes too, including 14.2.35 for 14.x, 15.0.7 through 15.5.9 across the 15.x line, and 16.0.10 for 16.x, plus corresponding canaries. If you’re still on a 15.x or 16.x build that predates those numbers, you’re not done. (nextjs.org)

Primary Keyword: React2Shell—how to patch without breaking your week

Here’s the thing: most teams can’t afford a thrash of emergency releases that destabilize product. The way out is to treat this as a two‑loop exercise: Patch Loop to reach the right versions fast, and Proof Loop to verify the change actually closed the hole and didn’t introduce regressions.

Patch Loop (same day)

1) Inventory what’s actually running. Don’t guess from package.json—inspect resolved versions. For Next.js, run npx fix-react2shell-next in the repo to scan and deterministically bump to the recommended fixed line. For non‑Next stacks, inspect node_modules for the RSC packages and confirm you’re on 19.0.1 / 19.1.2 / 19.2.1. Build and deploy to a canary environment immediately. (nextjs.org)

2) Rebuild images from scratch. Use fresh base images and ensure your lockfile resolves to the patched graph. Teams that pinned transitive dependencies months ago occasionally “patched” the top‑level package while their lockfile still pulled the unsafe RSC versions. Nuke and pave the container layer to be sure.

3) Secret rotation plan. If your app was online and unpatched on December 4 after 1:00 PM PT, prioritize rotating high‑impact secrets (databases, cloud provider keys, SSO/OIDC, Stripe/PayPal). Sequence rotations to avoid downtime. (nextjs.org)

Proof Loop (24–72 hours)

1) Confirm fixed Next.js or RSC versions at runtime. Emit version banners into logs at boot. During deployment, scrape and store those versions into your asset inventory so you can attest later.

2) Attack surface test. In a staging clone, replay a representative PoC or negative test harness to validate the vulnerability is closed. You don’t need weaponized exploit kits—just verify that crafted payloads are not accepted by your RSC endpoints. Keep results as evidence for auditors and customers.

3) Log‑based hunting. Query for unusual POSTs to your Server Functions endpoints, sudden spikes in node child processes, outbound connections to unknown hosts, and signs of cryptomining. Microsoft observed reverse shells, persistence via new users and RMM tools, and cloud credential harvesting post‑exploit; hunt accordingly. (microsoft.com)

4) Endpoint controls. If your RSC server runs on Linux VMs or containers, verify eBPF/EDR is live, kernel auditing is enabled for execve on the node runtime, and egress filtering is in place. A simple egress policy would have blocked several commodity payloads we’ve seen this month.

“Are Pages Router apps affected?” and other quick answers

Are Next.js Pages Router apps affected by React2Shell?

No, Next.js indicates Pages Router apps aren’t affected by the RSC flaws. Still, upgrade to the patched line to incorporate upstream hardening, especially if you plan to move to the App Router later. (nextjs.org)

Do I need to rotate secrets?

If your app was online and unpatched as of December 4, 2025 at 1:00 PM PT, yes—rotate. If you patched within hours of disclosure and have no indicators of compromise, you can stage rotations by risk and environment, but don’t skip them. (nextjs.org)

Is React2Shell in CISA’s KEV catalog?

Yes. NVD notes its presence in KEV with a date‑added of December 5 and a due date of December 12 for U.S. federal agencies. If your customers sell into public sector, expect proof of remediation. (nvd.nist.gov)

Version specifics you can act on today

RSC fixed versions: 19.0.1, 19.1.2, 19.2.1 for the three RSC packages. Install them directly if you’re not on a framework that bundles RSC. For Next.js, hit the fixed versions per your minor: first pass fixes were 15.0.5/15.1.9/15.2.6/15.3.6/15.4.8/15.5.7/16.0.7, then the follow‑on issues require moving to 14.2.35 (14.x), 15.0.7–15.5.9 across 15.x, and 16.0.10 for 16.x. Use the vendor tool: npx fix-react2shell-next. (nextjs.org)

If your environment predates those, you are still exposed. And remember: some hosting providers pushed temporary WAF mitigations to blunt known exploit patterns, but those do not replace patching. (vercel.com)

Data points leaders will ask you for

• When was the vulnerability disclosed and patched? December 3, 2025 for the RCE disclosure and initial patches; December 11, 2025 for the DoS and source exposure follow‑ups (with a subsequent correction for the DoS). (react.dev)

• Are we seeing exploitation in the wild? Yes—first seen by Microsoft around December 5, 2025, with several hundred machines compromised across orgs, mostly with commodity payloads but also RATs. (microsoft.com)

• Which versions are safe? For RSC: 19.0.1, 19.1.2, 19.2.1. For Next.js: the specific fixed sets listed above and the later December 11 patch set. (react.dev)

Let’s get practical: a 10‑step patch‑and‑prove checklist

1. Freeze deploys for 2 hours to stage the update and roll forward safely with clear rollback checkpoints.
2. Run npx fix-react2shell-next (Next.js) or pin RSC packages to 19.0.1/19.1.2/19.2.1 (other stacks). Commit lockfile changes.
3. Rebuild containers from a clean base; invalidate caches to force fresh dependency resolution.
4. Deploy to a canary environment behind real traffic shadowing. Enable verbose RSC server logs.
5. Run smoke tests and targeted negative tests for RSC endpoints to verify the hole is closed.
6. Promote to production in waves. Track error budgets and roll back quickly if needed.
7. Hunt for indicators of compromise from December 3–today: new system users, odd node processes, outbound tunnels, or miner signatures. (microsoft.com)
8. Rotate secrets in priority order if you were online and unpatched at disclosure time.
9. Document the exact versions deployed and the time of patch for customer assurance and audits.
10. Schedule the follow‑on patch window to reach the December 11 fixed sets if you haven’t already. (nextjs.org)

But there’s a catch: January 7 Node.js security release

Circle January 7, 2026. The Node.js team delayed its year‑end security release to that date. It will address three high‑severity issues across the 25.x, 24.x, 22.x, and 20.x lines. Plan a brief freeze with a fast path to update your base images the same week so you don’t quietly reintroduce risk at the runtime layer while focusing on React2Shell. (nodejs.org)

People also ask

How do I confirm production isn’t still pulling a bad transitive?

Export a software bill of materials from the built image, not the repo. Tools that read node_modules in your final container (or your serverless bundle manifest) will show resolved versions. Compare against the fixed sets listed above and store the SBOM with your release artifacts.

Do WAF rules make patching optional?

No. WAF rules can block early exploit patterns but won’t cover future bypasses or variant payloads. Treat them as defense‑in‑depth alongside patching and runtime controls. (vercel.com)

Are Pages Router or Edge Runtime apps a free pass?

Pages Router is not affected by the RSC flaws, and Edge Runtime isn’t in the blast radius described. That said, if the repo also deploys App Router services, you still need to patch those. (nextjs.org)

Zooming out: what React2Shell teaches about modern web stacks

Server rendering is now real application logic, not a templating step. That means the server piece of a “frontend” stack deserves the same hardening as any API: strict input validation, minimal egress, version telemetry, and a paper trail for auditors. Teams that practiced basic SRE hygiene—canary deploys, SBOM exports, runtime eBPF/EDR—closed this one cleaner and faster.

From the business side, customers are going to ask for proof. Build a lightweight evidence kit: deployment snapshot (versions, SHAs), SBOM, negative test results, and a one‑page attestation. It shortens sales cycles and calms renewals.

What to do next

• Patch precisely: hit the RSC fixed versions or the exact Next.js versions in the latest advisories, then re‑patch to the December 11 set if applicable. (react.dev)

• Prove it: capture resolved versions from running artifacts, run a negative test harness, and store results with your release notes.

• Hunt and rotate: sweep logs for post‑exploitation activity and rotate secrets if you were online and unpatched during the first 48 hours. (microsoft.com)

• Prep for January 7: plan a 2–4 hour window to adopt the Node.js security release across your base images and functions. (nodejs.org)

Need a hand?

If you need a second set of eyes, we’ve published hands‑on runbooks that teams used to move fast without blowing up their roadmap. Start with our guide on shipping the right fixes in Next.js, then our piece on why some teams had to patch twice. And if you’re dealing with the long tail of emergency releases across vendors, our 48‑hour plan format transfers well. We’re happy to help you tailor it to your environment.

• Read: Ship the right Next.js fixes, now

• Read: Patch twice, verify now

• Read: 48‑hour action plan approach

• Talk to us: Bybowu security & engineering services

If you only remember one thing

React2Shell isn’t a one‑and‑done patch. It’s a process: patch to the right versions, verify in running artifacts, and then prove it to stakeholders. Keep one eye on January 7 for the Node.js security drop. Move fast, but move correctly.