Notes on addressing the Next.js/React 'React2Shell' vulnerability
In December 2025, a CVSS 10.0 (maximum severity) vulnerability was disclosed in React Server Components (RSC) and Next.js, commonly referred to as “React2Shell.” Real-world exploitation has been observed since December 4, and Japan’s IPA has issued an emergency advisory.
⚠️ Urgency On December 5, the U.S. CISA added it to the KEV catalog and set a remediation due date of December 12. The unusually short one-week window underscores the seriousness. On December 9, checking for indicators of compromise (IOCs) was also recommended.
Update on December 11: Additional vulnerabilities were disclosed—a DoS issue (CVE-2025-55184 / CVE-2025-67779) and source code exposure (CVE-2025-55183). Because the initial fix was incomplete, even if you already updated to 19.0.1 / 19.1.2 / 19.2.1, you still need to update again.
What Happens
If an attacker sends a crafted HTTP request, arbitrary code can execute on the server (Remote Code Execution = RCE).
Attacker → crafted POST request → Next.js server
↓
RSC deserializes data
↓
Malicious code executes
↓
Server takeover completesWhat Attackers Can Do
- Execute shell commands on the server
- Steal environment variables (API keys, DB passwords, etc.)
- Read and write files
- Install backdoors
- Pivot to other systems
Why It’s Dangerous
- No authentication needed: Exploitation does not require a login feature.
- Vulnerable by default: Even without misconfiguration, you’re exposed.
- Active exploitation: Abuse by China-linked threat actors has been confirmed since December 4.
Affected Conditions
| Condition | Impact |
|---|---|
| Next.js 15.x / 16.x + App Router | ⚠️ Vulnerable |
| Next.js 14.3.0-canary.77 and later canaries | ⚠️ Vulnerable |
| react-server-dom-* 19.x | ⚠️ Vulnerable |
| Next.js 14.x stable | ✅ Safe |
| Next.js 13.x and earlier | ✅ Safe |
| Using only Pages Router | ✅ Safe |
| Edge Runtime | ✅ Safe |
How to Check
Method 1: Check package.json
# Check Next.js version
cat package.json | grep next
# Check react-server-dom-* versions
cat package.json | grep react-server-domMethod 2: Auto-check with the scanner tool
# Dry run to see if you’re affected (no file changes)
npx fix-react2shell-next --dry-runMitigation Steps
1. Apply patches
Next.js
| Current version | Update to |
|---|---|
| 15.0.0 – 15.0.4 | 15.0.5 |
| 15.1.0 – 15.1.8 | 15.1.9 |
| 15.2.0 – 15.2.5 | 15.2.6 |
| 15.3.0 – 15.3.5 | 15.3.6 |
| 15.4.0 – 15.4.7 | 15.4.8 |
| 15.5.0 – 15.5.6 | 15.5.7 |
| 16.0.0 – 16.0.6 | 16.0.7 |
| 15.x canary | 15.6.0-canary.58 |
| 16.x canary | 16.1.0-canary.12 |
| 14.3.0-canary.77 or later | Downgrade to 14.3.0-canary.76 or upgrade to 15.0.5+ |
react-server-dom-*
| Current version | Update to |
|---|---|
| 19.0.0 – 19.0.2 | 19.0.3 |
| 19.1.0 – 19.1.3 | 19.1.4 |
| 19.2.0 – 19.2.2 | 19.2.3 |
⚠️ Note: 19.0.1 / 19.1.2 / 19.2.1 were the initial RCE fixes, but the DoS vulnerability (CVE-2025-55184) disclosed on December 11 was not fully fixed. 19.0.2 / 19.1.3 / 19.2.2 are also vulnerable. Be sure to update to the latest.
2. Use the auto-fix tool
# Interactive mode (review and fix step by step)
npx fix-react2shell-next
# Fully automatic (for CI/CD)
npx fix-react2shell-next --fixThis tool supports monorepos and recursively scans all package.json files in your project to apply fixes.
3. Deploy
Deploy promptly after applying patches.
4. Rotate secrets
Applications that were online at 13:00 PT on December 4, 2025 (06:00 JST on December 5) or later may already have been attacked.
It is strongly recommended to rotate the following secrets:
- Database connection credentials
- API keys
- JWT secrets
- Credentials for external services
- Any other secrets managed via environment variables
December 11 Additions: DoS and Source Code Exposure
During validation of the React2Shell fixes, two additional issues were found and disclosed on December 11.
DoS (Denial of Service) - High
| Item | Details |
|---|---|
| CVE | CVE-2025-55184, CVE-2025-67779 |
| CVSS | 7.5 (High) |
| Summary | A malicious HTTP request triggers an infinite loop during deserialization, causing the server to hang |
Even if you haven’t implemented any Server Function endpoints, you are vulnerable if RSC is supported.
Important: Because the initial fix for CVE-2025-55184 was incomplete, versions 19.0.2 / 19.1.3 / 19.2.2 are still vulnerable. CVE-2025-67779 is an additional DoS found internally.
Source Code Exposure - Medium
| Item | Details |
|---|---|
| CVE | CVE-2025-55183 |
| CVSS | 5.3 (Medium) |
| Summary | Server Function source code may be leaked |
If a Server Function serializes and uses its arguments as strings, its source code may be returned to the attacker.
// Vulnerable example: secrets hard-coded in source
'use server';
export async function serverFunction(name) {
const conn = db.createConnection('SECRET KEY'); // will leak
return { message: `Hello, ${name}!` };
}However, runtime environment variables like process.env.SECRET are protected. Only secrets directly embedded in source code are at risk of leaking.
Fixed Versions
| Package | Vulnerable | Safe |
|---|---|---|
| react-server-dom-webpack | 19.0.0 – 19.0.2, 19.1.0 – 19.1.3, 19.2.0 – 19.2.2 | 19.0.3, 19.1.4, 19.2.3 |
| react-server-dom-parcel | Same as above | Same as above |
| react-server-dom-turbopack | Same as above | Same as above |
CVE List
A quick list of the CVEs involved in this incident:
| CVE | Target | Severity | Description |
|---|---|---|---|
| CVE-2025-55182 | React | Critical (10.0) | Unsafe deserialization in RSC (RCE) |
| CVE-2025-66478 | Next.js | Critical (10.0) | Next.js-specific issue related to the above |
| CVE-2025-55184 | React | High (7.5) | DoS (initial fix incomplete) |
| CVE-2025-67779 | React | High (7.5) | DoS (additional finding) |
| CVE-2025-55183 | React | Medium (5.3) | Source code exposure |
For formal reports at work, it’s a good idea to list all CVEs you addressed.
We’ll handle this soon…
→Addressed.
About CISA’s KEV Catalog Addition
On December 5, 2025, CISA added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog.
- Reason: Exploitation observed in the wild
- Target: Meta React Server Components
- Due date: December 12, 2025 (for U.S. federal agencies under BOD 22-01)
- Update on December 9: For internet-exposed React instances, CISA recommends checking for indicators of compromise even after applying mitigations
CISA notes that while BOD 22-01 applies to federal agencies, all organizations are strongly encouraged to prioritize remediating KEV-listed vulnerabilities.
Impact on Dify
The low-code development platform “Dify” also used React 19.x and was affected by this issue.
- Vulnerable: Dify 1.10.1 and earlier (docker-web-1 uses React 19.1.1)
- Safe: Dify 1.11.1 and later (updated to React 19.2.3)
If you self-host, check your version and update to 1.11.1 or later.
Reference: Upgrade to Dify 1.11.1 - Qiita