React2Shell refers to CVE-2025-55182, a critical vulnerability (CVSS 10) in React Server Components that allowed attackers to execute arbitrary code on the server with a single HTTP request. The name reflects the attack path: from a browser request (React) to remote code execution (shell).

Am I affected by CVE-2025-55182?

If you use Next.js App Router with Server Functions or Server Actions — on Next.js 14.x below 14.2.35 or Next.js 15.x below 15.2.4 — you were in the affected group. Apps using the Pages Router or without React Server Components were not affected.

Is the first Next.js patch enough to be safe?

No. The initial patch was incomplete. A variant (CVE-2025-55184) was found in the patched versions, and a subsequent fix led to CVE-2025-67779. You need Next.js 14.2.35+ or 15.2.4+ to be fully protected.

React2Shell: The Critical Vulnerability That Hit Every Next.js App Router Project

You shipped fast. You used AI to scaffold the app, Next.js to handle the server logic, and Vercel to deploy in minutes. It worked. Your users are happy. You moved on.

Then someone sent one HTTP request and got back your source code. Database queries. API keys. Business logic. All of it.

This wasn't a hypothetical. It happened.

First, what's a CVE?

A CVE (Common Vulnerabilities and Exposures) is basically a public record that says: "This software has a known security flaw, here's what it does, and here's how serious it is."

They're scored from 0 to 10. A score of 10 means an attacker can do maximum damage with zero effort and zero access. No login needed. No special setup.

React2Shell scored a 10.

What actually happened

In December 2025, a researcher named Lachlan Davidson reported a critical flaw in React Server Components — the technology behind Next.js Server Functions (also called Server Actions).

The vulnerability was tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js. The nickname? React2Shell — because it gave attackers a direct path from a browser request to running arbitrary code on your server.

Here's the simple version of what was broken:

When a Next.js app receives a request involving Server Functions, it uses something called the React Flight protocol to deserialize (decode) the incoming data. The problem was that this deserialization didn't properly validate what it was receiving.

An attacker could craft a malicious POST request that the server would misinterpret as a trusted internal instruction — and execute it.

No authentication required. No special headers. Near 100% reliability on default configurations.

The part developers missed

Here's a Server Function you might have written — or that your AI assistant wrote for you:

// app/actions.js
'use server'
 
import { db } from '@/lib/db'
 
export async function getUserData(userId) {
  const user = await db.query(
    `SELECT * FROM users WHERE id = $1`,
    [userId]
  )
  return user.rows[0]
}

Looks fine. It's on the server. It's not exposed in the frontend bundle. You assumed it was safe.

Under React2Shell, an attacker didn't need to find your endpoint. They could craft a request that triggered unintended execution paths inside React's runtime — bypassing your logic entirely and running their own code on your server.

And that wasn't the only problem.

The source code leak no one talked about

After React2Shell was patched, researchers kept digging. They found a follow-up vulnerability: CVE-2025-55183.

This one was quieter — rated medium severity (CVSS 5.3) — but deeply uncomfortable.

Under specific conditions, a malicious request could cause a Server Function to return its own source code as part of the HTTP response. Not compiled output. The actual source. With your database queries, conditional logic, and anything hardcoded inside.

'use server'
 
// This string literal could be exposed
const INTERNAL_API_KEY = 'sk-prod-abc123xyz'
 
export async function fetchReport() {
  const res = await fetch('https://internal-api.company.com/report', {
    headers: { Authorization: `Bearer ${INTERNAL_API_KEY}` }
  })
  return res.json()
}

If you hardcoded secrets directly into your Server Functions — even temporarily, even "just for testing" — those secrets could be leaked.

Note: Secrets loaded from environment variables (process.env.API_KEY) were not exposed. Only string literals inside the source file.

The patch that wasn't a patch

Here's where it gets worse.

React and Next.js released a fix quickly. Many developers updated and moved on. But the initial fix was incomplete.

A variant of the DoS attack (CVE-2025-55184) was found in the patched versions. Then another incomplete fix led to CVE-2025-67779. Developers who updated once were still vulnerable and didn't know it.

The sequence of required updates:

Version line	Safe version
React 19.0.x	19.0.3+
React 19.1.x	19.1.4+
React 19.2.x	19.2.3+
Next.js 14.x	14.2.35+
Next.js 15.x	15.2.4+

If you updated once in December and didn't check again, there's a good chance you were still exposed.

Who was affected

Any app using Next.js App Router with Server Functions or Server Actions
React 19 apps using React Server Components with any RSC-compatible framework
Apps deployed on default configurations — no custom setup needed to be vulnerable

Who was not affected:

Next.js Pages Router apps
Apps with no server-side React code
Apps that don't use React Server Components

If you built something in the last two years using the App Router and Server Actions — and most AI-assisted Next.js apps do — you were in the affected group.

What this means if you ship fast

The move-fast, ship-first workflow is real and it's useful. AI assistants scaffold apps quickly, Next.js handles a lot of complexity for you, and you can go from idea to production in a weekend.

But that speed creates a specific blind spot: you trust the framework to handle security, and the framework had a CVSS 10 vulnerability in its default configuration.

You didn't do anything wrong. You followed the docs. You used the recommended patterns. And millions of apps were still exposed.

The answer isn't to stop shipping fast. It's to add a layer that catches what you can't see.

How to check your current status

Run this in your project:

npm list next react-server-dom-webpack

Compare the output against the safe versions in the table above. If you're behind, update:

npm install next@latest

Then verify again.

If you want a deeper scan — one that checks your repos for exposed secrets, vulnerable patterns, and known CVEs without manual digging — that's exactly what Data Hogo does. Free scan, no card needed.

TL;DR

React2Shell (CVE-2025-55182) let attackers run arbitrary code on your server with a single HTTP request. CVSS 10.
A follow-up flaw (CVE-2025-55183) let attackers read your Server Function source code, including hardcoded secrets.
The first patch was incomplete. Many devs who updated are still vulnerable.
If you use Next.js App Router with Server Actions, check your version now.
Secrets in process.env are safe. Hardcoded string literals in Server Functions are not.