A critical security issue has been identified in React and Next.js applications using the App Router, tracked as CVE-2025-55182 and CVE-2025-66478 . This vulnerability, known as React2Shell, allows attackers to run unauthorized code on servers by sending a specially crafted request to systems using React Server Components.

Affected Systems

• React and related Server Packages: 19.0.0, 19.1.0, 19.1.1, 19.2.0 (includes react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack).

• Next.js: 14.3.0-canary.77 and all 15.x and 16.x versions prior to the fixed releases (App Router users only).

• Other libraries implementing React Server Components.

Security Risks

Exploitation of these CVEs may allow attackers to take full control of the server, access sensitive information, alter data, or disrupt services.

Recommended Actions

The National Cyber Security Authority (NCSA) recommends the following actions:

• React Server Packages: update react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack to 19.0.1, 19.1.2, or 19.2.1.

• Next.js: Update Next.js to the fixed versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7.

• Ensure you have the latest backup that can be easily restored before applying any updates or patches.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009.

References

• Critical React, Next.js flaw lets hackers execute code on servers  

• Next.js Security Advisory: CVE-2025-66478

• Critical Security Vulnerability in React Server Components

• RCE in React Server Components