This is an urgent security advisory regarding a critical security vulnerability related to React Server Components.
Summary of Critical Vulnerability
- Vulnerability Name: React2Shell (CVE-2025-55182)
- Severity: Critical (CVSS 10.0)
- Type: Remote Code Execution (RCE) vulnerability due to insecure deserialization in the React Server Components (RSC) flight protocol used to communicate between server and client.
- Status: Actively exploited in the wild and added to the Known Exploited Vulnerabilities (KEV) catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA) of the USA .
- Affected Frameworks and Bundles: React Server Components and downstream frameworks, including Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK.
For complete details, refer to the full advisory from The React Team here.
Recommendations for urgent action
All services utilizing React Server Components (RSC) and dependent frameworks must immediately apply the recommended patches to prevent unauthenticated Remote Code Execution (RCE). This critical vulnerability allows remote attackers to execute arbitrary commands.
The React server libraries need to be updated to the latest patched versions: 19.0.1, 19.1.2 and 19.2.1
Note that due to downstream dependencies, it is critical to refer to the official vendor’s advisory and the affected framework’s documentation to confirm the required versions and updates.
References: