Skip to main content

Documentation Index

Fetch the complete documentation index at: https://help.onetsolutions.net/llms.txt

Use this file to discover all available pages before exploring further.

Published on December 10, 2025
CVE-2025-55182 — “React2Shell” — CVSS 10.0. Remote code execution, unauthenticated, on Next.js servers and other frameworks built on React 19 + Server Components. Active exploitation in the wild.

Why this one is serious

If you run React 19 with Server Components (which includes most recent Next.js apps in App Router mode), your server executes deserialisation code for the Flight protocol on every request. Flight serialises server components between Node.js and the browser — and that is exactly where the bug lives. By crafting a malicious Flight request, an unauthenticated attacker can:
  1. Manipulate internal objects used for module resolution,
  2. Hijack Flight callbacks toward sensitive Node.js primitives,
  3. End up executing shell commands on the host.

What it gets you, as an attacker

Once RCE is achieved, the playbook is the usual brutal one:
  • Theft of environment variables and server-side secrets,
  • Lateral movement to internal services reachable from the pod or VM,
  • Persistence via cron, daemon, or a backdoor injected in the bundle,
  • Cryptominer or C2 deployment on the cloud infrastructure.
Several state-affiliated threat groups have been observed exploiting the flaw.

Versions to upgrade

React Server Components

The packages react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, in versions 19.0.0 → 19.2.0, must move to:
  • 19.0.1
  • 19.1.2
  • 19.2.1

Next.js (App Router)

Upgrade to the patched version closest to your current branch:
Next.js branchPatched version
15.015.0.5
15.115.1.9
15.215.2.6
15.315.3.6
15.415.4.8
15.515.5.7
16.016.0.7
After upgrading, redeploy all affected services — a plain pnpm install without a rebuild is not enough.

Immediate response

  1. Inventory: list every React 19 / Next.js App Router workload in your infrastructure (production, staging, PR previews…).
  2. Patch: apply the patched versions everywhere.
  3. Contain: restrict public access to services that cannot be patched immediately.
  4. Investigate: audit logs for suspicious execution, rotate exposed secrets (API keys, session tokens, environment variables), increase monitoring on unpatched hosts until the migration is complete.

Check your versions

# Installed versions
pnpm list react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack next

# On a Next.js workspace
npx next --version

Resources

For technical assistance, open a ticket from your OnetSolutions client area.