Back

React2Shell and Next.js - Are You Exposed to CVE-2025-55182

Publication date: 2025-12-08
WARNING

In early December 2025, a critical vulnerability in React Server Components triggered a global security response. The flaw—tracked as CVE-2025-55182 and widely known as React2Shell—allows attackers to execute code remotely on affected servers without authentication. Within hours of disclosure, exploitation attempts were observed in the wild. Within days, tens of thousands of internet-facing servers were found vulnerable, and multiple organizations reported being compromised.

React2Shell does not affect front-end code directly. The vulnerability exists in React Server Components, a feature designed to move application logic from the browser to the server. In the affected versions, React unsafely deserializes data received from HTTP requests sent to so-called “Server Function” endpoints. By crafting a malicious payload, an attacker can inject executable data that causes the server to run arbitrary code — without credentials, without user interaction, and without any warning signs.

Because the issue is architectural rather than configuration-based, even default setups were exploitable. Frameworks such as Next.js are particularly impacted because React Server Components are enabled automatically in modern application layouts. This meant large-scale exploitation was not a matter of if, but when.

Real-world impact

The vulnerability was rated at the highest possible severity level with a CVSS score of 10.0. EPSS probability surged into the highest global percentile within days. Security researchers observed mass scanning activity and exploitation starting within hours. The Shadowserver Foundation tracked more than 77,000 vulnerable systems worldwide at peak exposure, including hundreds in the Netherlands. Large cloud providers confirmed active abuse shortly after disclosure.

Even Cloudflare was indirectly impacted. During emergency defensive changes to its Web Application Firewall, an internal dependency error caused parts of its infrastructure to return HTTP 500 responses worldwide for approximately half an hour. Cloudflare was not breached, but the outage showed how severely a core framework flaw can ripple through the internet.

Am I vulnerable?

If you operate a React or Next.js application, you should verify your software versions immediately.

Check your React version

Run the following command inside your project directory:

npm list react react-dom

If your version is:

  • 19.0.0
  • 19.1.0
  • 19.1.1
  • 19.2.0

then your system is vulnerable. Upgrade immediately to:

  • 19.0.1
  • 19.1.2
  • 19.2.1

Check your Next.js version

Run:

npx next --version

If you are using Next.js versions between 14 and 16, consult Next.js’ official security advisory and update to the patched release within your version branch as soon as possible.

Check for indicators of compromise

If your application was exposed before patching, review your system for:

  • Suspicious processes or scheduled jobs
  • Unexpected outbound connections
  • Webshells in application directories
  • New users or modified SSH keys
  • Unknown files in temporary or upload directories

If you detect anomalies, assume compromise and escalate immediately.

How BaseFortify helps you stay ahead

React2Shell exposed a painful truth: many organizations do not actually know what runs in their production stack until attackers do. Some victims were unaware they had React Server Components active at all.

BaseFortify closes that visibility gap. BaseFortify continuously scans your environment, identifies running components, and matches them against real-time vulnerability intelligence from NVD, CISA, EPSS and vendor advisories. When a vulnerability like React2Shell appears, your exposure is immediately visible — linked directly to the components in your environment.

Our CVE reports include an AI Assistant and tailor-made Q&A, allowing you to quickly understand:

  • How a vulnerability actually works
  • How it could impact your setup
  • What to prioritize
  • What to fix first

Instead of learning from headlines, you gain insight while action still matters.

Create your free account here:
👉 https://basefortify.eu/register

Final thoughts

React2Shell is not “just another CVE.” It is a reminder that development frameworks are infrastructure — and when developer convenience meets unsafe design, the fallout is immediate and widespread.

Patch quickly. Audit carefully. And assume that any internet-exposed system deserves scrutiny.

Resources