On December 3, 2025, a catastrophic vulnerability was discovered in React 19 and Next.js 15. CVE-2025-55182, nicknamed "React2Shell", allows an attacker to execute remote code on your server without authentication, in a single HTTP request.
CVSS Score: 10.0/10 (the absolute maximum).
In less than 48 hours, Chinese hackers, cybercriminals, and botnets exploited this flaw, compromising more than 50 organizations worldwide. And 50% of vulnerable applications remain unpatched today.
It's a Remote Code Execution (RCE) vulnerability in React Server Components. An attacker can take complete control of your server by sending a simple malicious request to your React endpoints.
Vulnerable versions:
The worst part? A Next.js application created with create-next-app is vulnerable by default.
An attacker can:
Chinese state groups: Earth Lamia, Jackpot Panda North Korean hackers: Contagious Interview Cybercriminals: Botnets, cryptojackers, ransomware
More than 15 distinct intrusion clusters have been identified. The exploit is now in the wild and being used massively.
# React
npm install react@19.0.1 react-dom@19.0.1
# Next.js
npm install next@15.0.5Then rebuild and redeploy your application.
npm list react react-dom nextIf you're using React 19.0.0-19.2.0 or Next.js < 15.0.5, you are in danger.
Look for in your logs:
CVE-2025-55182 is an absolute emergency. With a score of 10/10, massive exploitation underway, and 50% of applications still vulnerable, this is one of the most serious security crises in the modern web ecosystem.
If you're using React 19 or Next.js 15, patch NOW. Not tomorrow, not next week. Now.
Attackers won't wait for you.
Main sources: Wiz Security, Unit 42 Palo Alto Networks, AWS Security, React Blog