React2Shell Security Bulletin: Critical CVE-2025-55182 Vulnerability
CVE-2025-55182: A Critical Vulnerability That Needs Your Attention Right Now
If you're working with React or Next.js, you need to read this. On December 4th, 2025, things got serious when publicly available exploits started circulating for what's being called "React2Shell." This is a critical vulnerability in React Server Components that's hitting React 19 (CVE-2025-55182) and frameworks built on top of it, particularly Next.js (CVE-2025-66478).
What makes this particularly concerning is that the situation is still evolving. New information keeps coming out, and Vercel has been pretty transparent about it. They're recommending developers keep an eye on their X account for real-time updates, plus they're pushing notifications through the Vercel Dashboard. It's worth checking both regularly.
What You Need to Do
Here's the bottom line: if you're running Next.js versions 15.0.0 through 16.0.6, you're affected. No exceptions. Even if you think you have other protections in place, this vulnerability is serious enough that you need to upgrade immediately. I've put together a detailed guide below on how to upgrade and protect your Next.js app, but don't wait—start the process now.
Timeline of Updates
Since this broke, Vercel has been pretty active in rolling out fixes and updates. Here's what's happened so far:
| Date | Update |
|---|---|
| December 08, 8:31 PM PST | Good news: Vercel Agent can now automatically detect vulnerable projects and even open pull requests to upgrade them. This is a huge time-saver if you're managing multiple projects. Check out the automated upgrade section to see how it works. |
| December 08, 6:09 PM PST | Vercel is pushing hard on deployment protection. They're recommending everyone turn on Standard Protection for all non-production deployments and audit any shareable links you've got floating around. It's a bit of extra work, but worth it. The deployment protection section has step-by-step instructions. |
| December 06, 9:05 PM PST | This one's important: if your app was live and unpatched as of December 4th at 1:00 PM PT, you should assume it might have been compromised. Vercel is strongly recommending rotating all your secrets, especially the critical ones. They've got documentation on how to do this properly. |
| December 05, 10:29 PM PST | Vercel released a handy npm package to make the upgrade process easier. Just run npx fix-react2shell-next in your project root, or check out the GitHub repo if you want to see what it's doing under the hood. |
| December 05, 3:44 PM PST | Vercel teamed up with HackerOne to offer bug bounties for finding bypasses in their platform protections. They're paying $25,000 for high-severity finds and $50,000 for critical ones—but only for this specific CVE. If you're into security research, check out the HackerOne page. |
What's Covered Here
I've organized this post to help you figure out what you need to do:
- How to know if you're affected and when to upgrade
- What React2Shell actually is and why it matters
- Step-by-step guide to upgrading and protecting your Next.js apps
- Using Vercel's security dashboard to track issues
- Setting up deployment protection properly
- Different methods for upgrading (automated, CLI, manual)
- Rotating your environment variables and secrets
- What to do if you're using other frameworks
Do You Need to Upgrade? Here's How to Tell
Let's cut straight to it. You need to upgrade if any of these apply:
- You're on Next.js 15.0.0 through 16.0.6: Unfortunately, every single version in this range is affected. There's no way around it—if you're running anything from 15.0.0 up to (but not including) 16.0.7, you're vulnerable.
- You're on Next.js 14 canary builds: This one's a bit tricky. If you're using any Next.js 14 canary version after 14.3.0-canary.76, you're also at risk. You'll need to either downgrade to 14.3.0-canary.76 or upgrade to a stable patched version.
- You're using React Server Components anywhere: This isn't just a Next.js problem. If you're using RSC through any framework, you're potentially affected. The vulnerability is in React Server Components itself, so whatever framework you're using, you need to check if it's been patched.
My Recommendation
Don't overthink this. If you're on Next.js, upgrade to a patched version—it's the only real fix. There are workarounds and protections, but they're not substitutes for patching. Whether you're using Next.js or another framework, if you're using React Server Components, update now. Don't wait for a convenient time—this is urgent.
What Is React2Shell, Anyway?
React2Shell is the name that's been given to this vulnerability, and honestly, it's pretty serious. It's a flaw in React Server Components that affects React 19 and anything built on top of it. The scary part? Under the right (or wrong, depending on your perspective) conditions, an attacker could send specially crafted requests that result in remote code execution on your server.
That's not theoretical—we're talking about someone potentially running arbitrary code on your servers. That's why everyone's treating this with such urgency.
How to Check If You're Vulnerable
The most reliable way to figure out if you're affected is to check what versions you're actually running in production. Don't just look at your package.json—check what's actually deployed. You need to verify the versions of these packages:
nextreact-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
If you're deploying to Vercel, they've made this easier. You'll see a banner in your Vercel dashboard if your production deployment is using a vulnerable version. It's hard to miss, which is good—but don't rely solely on that. You should verify yourself.
The easiest way to check everything at once is to run npx fix-react2shell-next in your project. It'll scan your dependencies and tell you exactly what needs updating. I'll cover this more in the upgrade section below.
About Vercel's WAF Protection
Vercel has been proactive here, which is good to see. They've set up WAF (Web Application Firewall) rules that filter out known exploit patterns. Here's what they've done:
- Before the CVE was even publicly announced, Vercel was already working with the React team to design WAF rules. They rolled out protection globally to all Vercel users, which is pretty impressive timing.
- They're not just setting it and forgetting it. As of December 5th, they've already deployed additional rules to catch newly discovered attack patterns. They're actively monitoring and updating.
- Important caveat: WAF rules are helpful, but they're not magic. They can't catch every possible variant of an attack, especially if attackers get creative. Think of WAF protection as a safety net, not a replacement for patching.
How to Upgrade and Protect Your Next.js App
Alright, let's get into the practical stuff. I'll walk you through several approaches, from the easiest to the most hands-on. Pick what works for your situation.
Start with Vercel's Security Actions Dashboard
If you're using Vercel, this is probably your best starting point. They've built a unified dashboard that shows you all the security issues that need attention, along with clear steps on how to fix them. It's actually pretty well done—no hunting through different pages trying to figure out what's wrong. Check your security actions dashboard and it'll tell you exactly which projects need attention.
Don't Forget About Deployment Protection
Here's something a lot of people miss: even if you've patched your production app, you might still have older, vulnerable versions sitting in preview deployments or staging environments. Those can be attack vectors too.
Vercel is recommending everyone turn on Standard Protection for all deployments except production. It adds a password or authentication step before someone can access those preview URLs, which prevents random people from hitting potentially vulnerable versions.
You can see which projects don't have this enabled in your security dashboard, or you can check each project's deployment protection settings directly.
One more thing: if you've shared preview deployment links with clients or stakeholders, make sure those aren't publicly accessible without protection. Vercel has documentation on how to set up bypasses properly for legitimate use cases.
Also worth auditing: any shareable links you've created. If you've disabled protection to make sharing easier, you should set up deployment protection exceptions instead, and make absolutely sure those exceptions are all running patched versions.
Three Ways to Upgrade: Pick Your Poison
Option 1: Let Vercel Agent Do It (Easiest)
If you want the least amount of work, Vercel Agent is your friend. It can automatically scan your projects, detect which ones are vulnerable, and even open pull requests with the necessary upgrades. You still get to review the changes before merging, but it does most of the heavy lifting.
To use it, head to the Vercel dashboard and look for the option to fix vulnerable projects. It'll walk you through the process.
Option 2: Use the Command Line Tool (Quick and Easy)
This is probably the fastest manual method. Vercel released a CLI tool that figures out what version you need and updates your package.json automatically. Just run this in your project root:
npx fix-react2shell-nextIt'll check your current version, figure out which patched version you need, and update your dependencies. Then you just need to install and test. Once everything looks good, deploy ASAP. I've got deployment instructions in the deployment guide section below.
Option 3: Manual Upgrade (Full Control)
If you prefer to do everything yourself, or if the automated tools aren't working for your setup, here's how to do it manually:
Step 1: Figure Out What You're Running
First, you need to know what version you're actually on. You can check this a couple of ways:
- Open your app in a browser, open the console, and type
next.version - Or just look at your package.json file
Your package.json probably looks something like this:
{
"dependencies": {
"next": "15.3.4"
}
}Step 2: Find the Right Patched Version
Once you know your current version, use this table to figure out which patched version you need to upgrade to:
| Vulnerable version | Patched release |
|---|---|
| Next.js 15.0.x | 15.0.5 |
| Next.js 15.1.x | 15.1.9 |
| Next.js 15.2.x | 15.2.6 |
| Next.js 15.3.x | 15.3.6 |
| Next.js 15.4.x | 15.4.8 |
| Next.js 15.5.x | 15.5.7 |
| Next.js 16.0.x | 16.0.7 |
| Next.js 14 canaries after 14.3.0-canary.76 | Downgrade to 14.3.0-canary.76 (not vulnerable) |
| Next.js 15 canaries before 15.6.0-canary.58 | 15.6.0-canary.58 |
| Next.js 16 canaries before 16.1.0-canary.12 | 16.1.0-canary.12 and after |
All of these patched versions include the hardened React Server Components implementation that fixes the vulnerability.
Once you know which version you need, update your package.json. For example, if you were on 15.3.4, you'd change it to:
{
"dependencies": {
"next": "15.3.6"
}
}Step 3: Install and Update Your Lockfile
Now run your package manager to install the new version. This is important: make sure you commit both your package.json AND your lockfile (package-lock.json, yarn.lock, pnpm-lock.yaml, or bun.lockb) together. Don't commit one without the other—it'll cause issues for your team.
Run whichever command matches your package manager:
# npm
npm install
# yarn
yarn install
# pnpm
pnpm install
# bun
bun installStep 4: Test and Deploy
Before you deploy, test your app locally. Make sure everything still works, especially any React Server Components you're using. Once you're confident it's working, deploy immediately. Don't wait for the next sprint or a convenient time—this is urgent.
Deploying Your Fix
How you deploy depends on your setup, but here are the common scenarios:
If you're using Vercel: The good news is that Vercel has already blocked new deployments of vulnerable versions, and they've got WAF rules running. But that doesn't mean you can skip the upgrade—those protections aren't perfect, and you still need the actual patch.
If you deploy via Git: Just push your changes. Vercel will automatically build a preview with the patched version. Test that preview, and if everything looks good, merge to your main branch to promote it to production. If you need to deploy faster, you can also create a Manual Deployment directly from the Vercel Dashboard.
If you're using the Vercel CLI: Run this command:
vercel --prodThat'll deploy your patched version directly to production.
One More Critical Step: Rotate Your Secrets
This is easy to forget, but it's really important. If your application was online and unpatched when this vulnerability was public, you should assume it might have been compromised. Even if you don't see any signs of an attack, it's better to be safe.
Once you've patched and deployed, rotate all your environment variables and secrets. Start with the most critical ones—database passwords, API keys, authentication tokens, anything that could give someone access to your systems or data.
Vercel has documentation on how to rotate secrets properly. It's a bit of a pain, but it's worth the peace of mind.
What If You're Not Using Next.js?
This vulnerability isn't exclusive to Next.js—it affects React Server Components in general. So if you're using another framework that implements RSC, you're potentially affected too.
The React team has published a security advisory on react.dev that covers the broader picture. I'd recommend reading that, plus checking the official Next.js security advisory for additional context.
Bottom line: if you're running a vulnerable version of React or any framework using React Server Components, update immediately. Don't wait for your framework maintainers to release a guide—check what versions are patched and upgrade now.
Stay safe out there, and if you have questions, feel free to reach out. This is a serious issue, but it's fixable if you act quickly.