Flag{Hack}

Published December 5, 20254 min read

React2Shell: Understanding the React Server Components vulnerability

React2Shell is the community nickname for a critical React Server Components vulnerability. This overview explains what it affects and where to find React's official upgrade instructions.

What React2Shell is

React2Shell is the community nickname for CVE-2025-55182, a critical unauthenticated remote code execution vulnerability in React Server Components.

According to React's official advisory, the issue is tied to how React decodes payloads sent to Server Function endpoints. A server-side app can still be exposed even when it does not define its own Server Functions, as long as it supports React Server Components.

Who is affected

React's initial advisory says the original vulnerability affected version 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.

Frameworks and bundlers built on top of those packages can also be affected. React specifically called out Next.js, React Router's unstable RSC APIs, Waku, Parcel RSC, Vite's RSC plugin, and Redwood SDK.

  • Apps without a server are not affected.
  • Apps that do not use React Server Components are not affected.
  • Teams should review framework-managed dependencies, not just top-level react and react-dom versions.

How to upgrade to a fixed version

React first published patches on December 3, 2025, then issued follow-up fixes on December 11, 2025 and January 26, 2026 after researchers found additional related issues.

As of React's January 26, 2026 update, the safe backported versions for the affected RSC packages are 19.0.4, 19.1.5, and 19.2.4. If your framework manages those packages for you, use the framework-specific upgrade instructions from the React team instead of guessing a package combination by hand.

Why it matters

React2Shell is a reminder that React Server Components are part of your server attack surface, not just a UI feature. When a security advisory lands, server-side React apps need the same fast patching discipline as any other backend dependency.

The safest workflow is to use the official React advisory as the source of truth, then confirm your framework's patched release line before deploying.