How to Fix CVE-2025–55182 in React and Next.js: The Patching Guide

Image by AI

The JavaScript ecosystem is currently facing one of its most significant security challenges to date. Disclosed in early December 2025, CVE-2025–55182, frequently referred to by security researchers as “React2Shell ”, is a critical remote code execution (RCE) vulnerability affecting React and Next.js.

With a CVSS score of 10.0 , this vulnerability allows unauthenticated attackers to execute arbitrary code on your server with a single, specially crafted HTTP request. If your organization uses React Server Components (RSC) or frameworks that bundle them, such as Next.js 15 or 16, your applications are likely at immediate risk.

In this guide, we will break down the technical root cause of CVE-2025–55182, explain how the React Flight Protocol was exploited, and provide a comprehensive, step-by-step remediation plan to secure your Next.js and React workloads before exploitation occurs.

Stop losing sleep over security: Learn the SecureSlate strategy top CTOs use to guarantee system integrity.

CVE-2025–55182 (The React2Shell) Overview

CVE-2025–55182 is a pre-authentication remote code execution vulnerability that resides in the core deserialization logic of React Server Components (RSC).

Specifically, the flaw exists within the packages responsible for handling the “Flight” protocol, the mechanism React uses to stream serialized component data between the client and the server.

10 Best CSPM Solutions for Multi-Cloud Environments (Ranked & Reviewed)
Technical Reviews of the Top 10 CSPM Solutions devsecopsai.today

The Impact

• Unauthenticated RCE: An attacker does not need a login, a session cookie, or even a CSRF token.
• Default Vulnerability: A standard application created with create-next-app using the App Router is vulnerable out of the box.
• Full Server Takeover: Because the code executes in the Node.js context, attackers can access environment variables (including database secrets and API keys), manipulate the file system, and pivot into internal cloud networks.

The Scope

The vulnerability is not limited to just Next.js. It impacts any framework or tool that implements the RSC protocol using the vulnerable versions of:

• react-server-dom-webpack\
• react-server-dom-parcel
• react-server-dom-turbopack

Technical Deep Dive: The Flight Protocol Specification

To understand the fix, we must understand the protocol being patched. The React Flight Protocol is a binary-to-text format used to transport the tree structure of Server Components. Unlike standard JSON, Flight supports streaming and the transmission of “promises” and “references.”

The EU’s GDPR Privacy Policy: What Non-European Businesses MUST Know to Avoid Fines
The Business Imperative of the EU devsecopsai.today

How Flight Encodes Data

When a server renders a component, it sends a stream of lines, each prefixed by an identifier:

• **J**: A JSON-serialized UI component tree.
• **M**: Metadata about a client-side component (the "client reference").
• **S**: A symbol identifier.
• **$@**: A reference to a previously defined object in the stream.
• **$K**: A specific key identifier.

The Deserialization Flaw

The vulnerability occurs in the reviveModel function. In older versions of React, when the parser encountered a reference or a specific key-value pair in the stream, it would recursively build a JavaScript object.

The security failure was a classic Prototype Pollution scenario. Because the parser did not explicitly use Object.create(null) or check Object.prototype.hasOwnProperty, an attacker could inject a key called __proto__ or constructor into the stream. When the server-side logic processed this, it would modify the base object prototype of the Node.js process.

The Anatomy of the Exploit: From Serialization to Shell

The “React2Shell” exploit is elegant and terrifying because it leverages React’s own internal “gadgets” — pre-existing utility functions — to execute code.

Phase 1: Prototype Pollution

The attacker sends a POST request to a Next.js endpoint (often a Server Action or a page route). The body of the request contains a serialized Flight stream. This stream includes a dictionary that targets the __proto__ of the Object class.

Top 7 Risk Scoring Hacks Cybersecurity Experts Use to Stay Ahead
Master the Art of Smarter Risk Scoring Today! devsecopsai.today

Phase 2: Chaining Gadgets

Once the prototype is polluted, the attacker targets internal React functions that handle Promises. In React 19, the runtime frequently checks for a property called then to see if a piece of data is "thenable" (a Promise). By polluting the prototype with a custom then function, the attacker ensures that their code is executed the moment React attempts to "await" or resolve a component chunk.

Phase 3: The Payload

The payload typically utilizes the Node.js child_process module. Since the environment is already running in Node, the attacker has access to process.binding or require if they can bypass standard sandbox restrictions. In a containerized environment, this usually results in a reverse shell being sent back to the attacker's listener:

JavaScript

Comprehensive Patching Guide

Checking for CVE-2025–55182 requires looking at your package-lock.json or pnpm-lock.yaml file rather than just your high-level package.json.

Step 1: Identify Vulnerable Versions

If your project uses any of the following, you are at risk:

• React: 19.0.0, 19.1.0–19.1.1, 19.2.0.
• Next.js 15.x: All versions prior to 15.5.7.
• Next.js 16.x: All versions prior to 16.0.7.

Step 2: The Automated Fix

The Next.js team released a specialized tool to assist with this transition. Run the following command in your terminal:

Bash

Step 3: Manual Dependency Overrides

If the automated tool fails or if you are in a highly constrained environment, you must use dependency overrides (in package.json) to force the correct version of the underlying React DOM server packages.

For NPM Users:

For PNPM Users:

Defense in Depth: Infrastructure Hardening

While patching code is the primary fix, infrastructure-level defense is your second line of safety.

Web Application Firewall (WAF) Rules

If you are using Cloudflare, AWS WAF, or Akamai, you should implement a custom rule to block requests that attempt to exploit the Flight protocol.

21 AWS Cloud Security Strategies To Transform Your Business by 2025
Hardening AWS from the Inside Out devsecopsai.today

Cloudflare WAF Custom Rule (Expression):

This rule targets the “Reference Loop” mechanism used to trigger the prototype pollution.

Plaintext

(http.request.method eq “POST” and http.request.body.raw contains “$@” and http.request.body.raw contains “constructor”)

Content Security Policy (CSP)

While CSP is primarily a client-side defense, a strict script-src and connect-src can prevent an attacker from exfiltrating data even if they manage to trigger a partial execution. However, for RCE, the primary defense must be server-side.

Node.js Permissions Model

If you are running on Node.js 20+, leverage the Permission Model (--experimental-permission). By restricting the ability of the Node process to spawn child processes, you can mitigate the impact of an RCE:

Bash

node — experimental-permission — allow-fs-read=./ — allow-net=api.mydatabase.com server.js

7-Step Incident Response Plan to Stop Cyber Attacks Before They Spread
Stop Hackers in Their Tracks, Use These 7 Steps Now devsecopsai.today

Incident Response Playbook

Because CVE-2025–55182 was exploited “in the wild” as a zero-day for approximately 72 hours, any application exposed during the first week of December 2025 must undergo a post-mortem.

Step 1: Log Analysis

Search your application logs for POST requests to /_next/data/... or any route using Server Actions that resulted in a 500 Internal Server Error. While a 500 doesn't always mean a breach, many initial PoCs caused the Node process to crash after execution.

Step 2: Secret Rotation (Mandatory)

Assume that if RCE occurred, your environment variables were compromised. You must rotate:

• Database URI: Change the password for your production DB.
• API Keys: Rotate Stripe, AWS IAM, and OpenAI keys.
• NextAuth Secret: Change your NEXTAUTH_SECRET to invalidate all current sessions.

Step 3: Persistence Check

Attackers often leave a “backdoor” in the form of a modified package.json script or a hidden file in node_modules. Wipe your deployment environment entirely and rebuild from a known-clean git commit.

How to Master Vulnerability Management to Stop Silent Threats
Vulnerability Management Secrets to Boost Security secureslate.medium.com

Understanding the Secondary Vulnerabilities (CVE-2025–55183/4)

The “fix” for React2Shell was iterative. The initial patch in React 19.2.1 addressed the RCE but introduced two secondary issues:

CVE-2025–55183: Source Code Leakage

The secondary patch inadvertently allowed a specifically formatted RSC request to bypass the “Server-Only” module protection. This allowed attackers to request the raw source code of files marked with 'use server'.

CVE-2025–55184: “Infinite Hydration” DoS

A Denial of Service (DoS) vulnerability where an attacker could send a recursive reference object that caused the React server-side renderer to enter an infinite loop, consuming 100% CPU and crashing the instance.

The Solution: You must skip the “middle” versions and go directly to React 19.2.3 and Next.js 15.5.7/16.0.7 , which contain the consolidated fixes for all three CVEs.

Summary Table of Safe Versions

Conclusion

The discovery of CVE-2025–55182 marks a turning point in how we view frontend framework security. As React and Next.js move deeper into the server-side with Server Components, the distinction between “Frontend” and “Backend” security continues to blur.

To stay safe in 2026 and beyond:

• Audit your lockfiles weekly. High-level version ranges like ^19.0.0 often mask critical underlying package vulnerabilities.
• Adopt a “Zero-Trust” approach to RSC. Treat all data coming into a Server Action or an RSC endpoint as untrusted user input, even if it looks like a serialized internal format.
• Use automated security scanning. Tools like Snyk, Socket, and GitHub Advanced Security are now updated to flag the React2Shell vulnerability.

Immediate Action: Update your dependencies today. Do not wait for a scheduled maintenance window. A CVSS 10.0 vulnerability with public PoCs is an emergency.

SOC 2 Controls List XLS: Your Essential Compliance Tool
Simplify Your Audit! secureslate.medium.com

Ready to Streamline Compliance?

Building a secure foundation for your startup is crucial, but navigating the complexities of achieving compliance can be a hassle, especially for a small team.

SecureSlate offers a simpler solution:

• Affordable: Expensive compliance software shouldn’t be the barrier. Our affordable plans start at just $99/month.
• Focus on Your Business, Not Paperwork: Automate tedious tasks and free up your team to focus on innovation and growth.
• Gain Confidence and Credibility: Our platform guides you through the process, ensuring you meet all essential requirements and giving you peace of mind.

Get Started in Just 3 Minutes

It only takes 3 minutes to sign up and see how our platform can streamline your compliance journey.