A critical remote code execution vulnerability in React.js has been identified.
React.js is a JavaScript library for building fast, interactive user interfaces (UIs) using reusable components.
The security researcher Lachlan Davidson disclosed the vulnerability on 29 November 29, 2025, to the Meta team.
Officially tracked as CVE-2025-55182, the flaw has been dubbed React2Shell, a not-so-subtle nod the Log4Shell vulnerability which was discovered in 2021. It affects the server-side use of React.js and has been attributed the maximum severity rating (CVSS) of 10.0.
Separately, the Next.js team published a security advisory and reported their own CVE, CVE-2025-66478, on December 3. However, the US National Vulnerability Database (NVD) rejected this CVE as a duplicate of CVE-2025-55182.
React and Next.js are JavaScript frameworks that are used in many modern web applications, their widespread use is cause for concern.
Successful exploitation of React2Shell could provide an attacker with the ability to run arbitrary code and assume control of the victim server. This could lead to broad compromise of sensitive data.
“The ubiquity of React and Next.js, along with their ease of exploitation, makes these bugs significant. Exploitation is incredibly simple and can be achieved without authentication”, commented Ari Eitan, director of cloud security research at Tenable.
“A single malicious HTTP request can trigger remote code execution on the server side, which makes the issue extremely harmful,” Eitan added.
Unlike many supply chain threats that affect rare configurations, this exploits the core deserialization logic of the framework itself and is exploitable in many cases.
According to researchers at software supply chain security firm JFrog, exploitation success rate is reported to be nearly 100% in default configurations.
React servers that use React Server Function endpoints are known to be vulnerable.
The Next.js web application is also vulnerable in its default configuration.
Exploitation of React2Shell Likely
At the time of writing, it is unknown if active exploitation has occurred however there have been some reports of observed exploitation activity as of December 5, 2026.
This situation is likely to evolve now the vulnerabilities have been publicly disclosed.
Also on December 5, at around 10am GMT, OX Security warned that the flaw is now actively exploitable.
In a LinkedIn post, the cybersecurity firm said, “Hacker maple3142 published a working PoC, and our team successfully verified it. This isn’t theoretical anymore. It results in unauthenticated remote code execution on vulnerable React and Next.js servers.”
JFrog said it has identified fake proof-of-concepts (PoC) on GitHub.
These types of projects are known to contain malicious code. Security teams must verify sources before testing, JFrog warned.
Immediate Remediation Recommendations
To resolve CVE-2025-55182 and CVE-2025-66478 security teams are urged to upgrade any vulnerable packages to the fixed ones which have been listed.
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
React said a fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If any of the above packages are in use, these should be upgraded to any of the fixed versions immediately.
For Next.js apps, in cases where the App Router functionality is not heavily used, the web application may be migrated back to using the Pages Router by following the Next.js App Router migration guide.
