waqasishaque logo Waqas Ishaque
    • cybersecurityJanuary 10, 2026

    React2Shell: The Critical RCE Vulnerability Affecting Next.js Apps

    CVE-2025-66478 is a CVSS 10.0 vulnerability in React Server Components that enables remote code execution. Here's what you need to know and how to patch.

    securitynextjsreactvulnerability

    A critical vulnerability has been discovered in the React Server Components protocol. It's being called React2Shell and it's as bad as it sounds.

    The Bottom Line

    • CVE: CVE-2025-66478 (Next.js), CVE-2025-55182 (React)
    • Severity: CVSS 10.0 (Critical)
    • Impact: Remote Code Execution
    • Action Required: Upgrade immediately

    If your Next.js app was online and unpatched as of December 4th, 2025, rotate your secrets.

    What Is React2Shell?

    The vulnerability exists in the React Server Components (RSC) protocol. Attackers can craft malicious requests that influence server-side execution behavior, leading to remote code execution on unpatched servers.

    This isn't theoretical—AWS has reported that China-nexus cyber threat groups are actively exploiting this vulnerability in the wild.

    Am I Affected?

    You ARE affected if you're running:

    • Next.js 15.x with App Router
    • Next.js 16.x with App Router
    • Next.js 14.3.0-canary.77 or later canary releases

    You are NOT affected if you're using:

    • Next.js 13.x
    • Next.js 14.x stable releases
    • Pages Router (any version)
    • Edge Runtime

    How to Patch

    Option 1: Use the automated tool

    npx fix-react2shell-next

    This interactive tool checks your version and performs the upgrade automatically.

    Option 2: Manual upgrade

    Pick the patch for your version:

    npm install next@15.0.5   # for 15.0.x
npm install next@15.1.9   # for 15.1.x
npm install next@15.2.6   # for 15.2.x
npm install next@15.3.6   # for 15.3.x
npm install next@15.4.8   # for 15.4.x
npm install next@15.5.7   # for 15.5.x
npm install next@16.0.7   # for 16.0.x

    For canary releases:

    npm install next@15.6.0-canary.58  # for 15.x canary
npm install next@16.1.0-canary.12  # for 16.x canary

    If you're on a 14.x canary, downgrade to stable:

    npm install next@14

    After Patching: Rotate Your Secrets

    Once you've upgraded and redeployed, rotate all your environment variables. Start with the most critical ones:

    • Database credentials
    • API keys
    • JWT secrets
    • OAuth client secrets
    • Encryption keys

    If your app was exposed, assume they were compromised.

    Timeline

    • December 3, 2025: React team publishes security advisory
    • December 4, 2025: Patches released for Next.js
    • December 6, 2025: Vercel releases fix-react2shell-next tool
    • Ongoing: Active exploitation reported by AWS, Akamai, and others

    What Actually Happened?

    The vulnerability is in how RSC deserializes untrusted inputs. Vercel and the React team are intentionally limiting technical details to protect developers who haven't patched yet.

    What we know:

    • It's a deserialization vulnerability
    • It allows RCE (Remote Code Execution)
    • It only affects Server Components (App Router)
    • Pages Router and Edge Runtime use different code paths

    Resources

    Credit

    Discovered and responsibly disclosed by Lachlan Davidson.

    There is no workaround. Upgrade now.

    How is this guide?

    Comments

    Leave comment

    Last updated on

    How to Add a Playful Kitten to Your Webpage

    Previous Page

    On this page