Critical Security Alert: CVE-2025-66478 (React2Shell) Affects Next.js Applications

Update December 6, 2025: A critical remote code execution vulnerability has been discovered in Next.js applications using the App Router. With a CVSS score of 10.0 (the highest possible severity), this vulnerability requires immediate attention from all Next.js developers running versions 15.x or 16.x.

Executive Summary

CVE-2025-66478, dubbed "React2Shell," is a critical vulnerability in the React Server Components (RSC) protocol that allows remote code execution when processing attacker-controlled requests. The issue originates from an upstream React vulnerability (CVE-2025-55182) and affects all Next.js applications using the App Router in versions 15.x and 16.x.

Key Facts:

• CVSS Score: 10.0 (Critical)
• Attack Vector: Network-based exploitation via crafted requests
• Affected Versions: Next.js 15.x and 16.x (all releases)
• Impact: Remote Code Execution (RCE)
• Workaround: None - immediate upgrade required
• Discovery Credit: Lachlan Davidson

Understanding the Vulnerability

What is React2Shell?

React2Shell exploits a weakness in how Next.js processes React Server Components (RSC) requests. When an attacker sends specially crafted requests to a vulnerable Next.js application, they can influence server-side execution behavior and trigger unintended code execution paths.

The vulnerability exists at the intersection of Next.js's App Router and React's Server Components protocol, making it particularly dangerous for modern Next.js applications that have adopted these newer features.

Attack Vector

The attack is network-based and requires no authentication or user interaction:

1. Attacker crafts malicious request targeting the RSC protocol endpoint
2. Vulnerable Next.js application processes request without proper validation
3. Server-side code execution occurs with the privileges of the Node.js process
4. Attacker gains control over the application server

This makes React2Shell an especially critical vulnerability - it can be exploited remotely over the internet with minimal effort from attackers.

Affected Versions

🚨 Vulnerable Versions

The following Next.js versions are vulnerable and should be upgraded immediately:

• Next.js 15.0.x through 15.0.4
• Next.js 15.1.x through 15.1.8
• Next.js 15.2.x through 15.2.5
• Next.js 15.3.x through 15.3.5
• Next.js 15.4.x through 15.4.7
• Next.js 15.5.x through 15.5.6
• Next.js 16.0.x through 16.0.6
• Next.js 14.3.0-canary.77 and later canary releases

✅ Not Affected

The following versions and configurations are not vulnerable:

• Next.js 13.x (all versions)
• Next.js 14.x stable releases (14.0.0 through 14.2.x)
• Applications using only the Pages Router (not App Router)
• Applications running exclusively on Edge Runtime

Patched Versions

Vercel has released patches across all affected version lines. Upgrade to the following versions:

Version Line	Patched Version	Upgrade Command
15.0.x	15.0.5	npm install [email protected]
15.1.x	15.1.9	npm install [email protected]
15.2.x	15.2.6	npm install [email protected]
15.3.x	15.3.6	npm install [email protected]
15.4.x	15.4.8	npm install [email protected]
15.5.x	15.5.7	npm install [email protected]
16.0.x	16.0.7	npm install [email protected]
15.x canary	15.6.0-canary.58	npm install [email protected]
16.x canary	16.1.0-canary.12	npm install [email protected]

Special Note for Canary Users

If you're running Next.js 14.3.0-canary.77 or later canary releases, you should either:

1. Upgrade to the latest patched canary version (15.6.0-canary.58 or 16.1.0-canary.12)
2. Recommended: Downgrade to a stable Next.js 14.x release: npm install next@14

Immediate Mitigation Steps

Option 1: Automated Fix Tool (Recommended)

Vercel has released an automated scanning and patching tool. This is the fastest way to check and fix your applications:

npx fix-react2shell-next

This interactive tool will:

• Scan your package.json to detect vulnerable Next.js versions
• Identify the correct patched version for your version line
• Offer to automatically upgrade your dependencies
• Verify the upgrade was successful

Option 2: Manual Upgrade

If you prefer manual control, follow these steps:

1. Check your current Next.js version:

npm list next

2. Upgrade to the patched version for your line:

# For Next.js 15.5.x users
npm install [email protected]

# For Next.js 16.0.x users
npm install [email protected]

# For older 15.x versions, use the table above

3. Update React dependencies (if needed):

npm install react@latest react-dom@latest

4. Test your application:

npm run dev

5. Deploy immediately to production:

# Your deployment command
npm run build
# Deploy to your hosting platform

Option 3: Temporary Mitigation (Not Recommended)

Important: There is no workaround for this vulnerability. The only effective mitigation is upgrading to a patched version.

Do not attempt to:

• Disable the App Router (requires complete application rewrite)
• Add WAF rules (cannot reliably block exploit patterns)
• Restrict network access (defeats the purpose of a web application)

Verification Steps

After upgrading, verify your application is protected:

1. Check Next.js version in package.json:

{
  "dependencies": {
    "next": "15.5.7" // Should be a patched version
  }
}

2. Verify installed version:

npm list next
# Should show the patched version

3. Run the fix tool again to confirm:

npx fix-react2shell-next
# Should report "No vulnerable Next.js version detected"

Why This Matters for Your Business

This vulnerability represents a critical risk to any organization running Next.js applications:

Business Impact

• Data Breach Risk: Attackers can access sensitive data, customer information, and internal systems
• System Compromise: Complete server takeover allows installation of backdoors, ransomware, or crypto miners
• Regulatory Compliance: Failure to patch critical vulnerabilities may violate GDPR, HIPAA, PCI-DSS, and other regulations
• Reputation Damage: Security breaches erode customer trust and can result in lost business
• Legal Liability: Negligent security practices can result in lawsuits and fines

Attack Likelihood

• CVSS 10.0 vulnerabilities are actively targeted within hours of disclosure
• No authentication required makes exploitation trivial
• Automated exploit tools will emerge rapidly
• Public-facing applications are immediately at risk

Technical Deep Dive

Root Cause Analysis

The vulnerability stems from insufficient input validation in the React Server Components protocol implementation. When Next.js processes RSC requests:

1. Request deserialization: The server deserializes incoming RSC protocol data
2. Component resolution: React resolves which server components to render
3. Code execution: Server components execute with full Node.js privileges

The flaw allows attackers to inject malicious payloads during the deserialization phase, causing arbitrary server-side code execution during component resolution.

Why App Router Only?

The Pages Router uses a different rendering model that doesn't rely on the vulnerable RSC protocol. Only applications using the newer App Router (introduced in Next.js 13) are affected because they utilize React Server Components.

Edge Runtime Exception

Applications running on Edge Runtime (Vercel Edge Functions, Cloudflare Workers, etc.) use a different JavaScript runtime with limited Node.js API access, which naturally mitigates this particular vulnerability. However, you should still upgrade as defense-in-depth.

Best Practices Moving Forward

Immediate Actions

1. Audit all Next.js applications in your organization
2. Upgrade vulnerable applications within 24-48 hours
3. Monitor security advisories from Vercel and the React team
4. Review access logs for suspicious RSC requests (though exploitation may not leave obvious traces)

Long-Term Security Posture

1. Implement automated dependency scanning (Dependabot, Snyk, npm audit)
2. Establish security patch SLAs (e.g., critical patches within 48 hours)
3. Subscribe to security mailing lists:
   • Vercel Security Updates
   • React Security Advisories
4. Consider penetration testing for critical applications
5. Implement defense-in-depth:
   • Web Application Firewall (WAF)
   • Network segmentation
   • Principle of least privilege for Node.js processes

How Cyber AR Can Help

At Cyber AR, we specialize in identifying and mitigating vulnerabilities like React2Shell before they can be exploited:

Our Services

• Vulnerability Assessment: Comprehensive scanning of your web applications for known vulnerabilities
• Penetration Testing: Ethical hacking to discover vulnerabilities before attackers do
• Security Audits: Code review and architecture assessment for Next.js and React applications
• Incident Response: Rapid response if you suspect exploitation has occurred
• Security Training: Developer education on secure coding practices

Emergency Support

If you believe your application may have been compromised or need immediate assistance:

• 24/7 Security Hotline: Available for critical incidents
• Rapid Assessment: Quick evaluation of potential exploitation
• Forensic Analysis: Determine if and when exploitation occurred
• Remediation Support: Guided patching and verification

Additional Resources

• Official Next.js Advisory: CVE-2025-66478 on GitHub
• React Upstream Advisory: CVE-2025-55182
• Fix Tool Repository: vercel-labs/fix-react2shell-next
• Next.js Security Page: nextjs.org/cve-2025-66478

Conclusion

CVE-2025-66478 (React2Shell) represents one of the most critical vulnerabilities discovered in the Next.js ecosystem. With a CVSS score of 10.0 and the potential for remote code execution, immediate action is required from all organizations running Next.js 15.x or 16.x applications.

Action Items:

1. ✅ Run npx fix-react2shell-next on all Next.js projects
2. ✅ Upgrade to patched versions within 24-48 hours
3. ✅ Test thoroughly in staging before production deployment
4. ✅ Monitor for suspicious activity
5. ✅ Document the patching process for compliance records

Don't wait - the security of your application and your users' data depends on swift action.

---

Need expert security guidance? Contact Cyber AR for professional penetration testing, vulnerability assessments, and security consulting services. Our team of certified security professionals is ready to help protect your Next.js applications.

Related Services:

• Web Application Penetration Testing
• Managed Bug Bounty Program
• Security Code Review