Next.js Security Advisory: React2Shell RCE Vulnerability

On December 3, 2025, a critical vulnerability was disclosed in the React Server Components (RSC) "Flight" protocol. The issue — tracked as CVE-2025-55182 at the React layer and CVE-2025-66478 at the Next.js layer — allows an unauthenticated attacker to achieve remote code execution on the server hosting a vulnerable Next.js App Router application.

CVE-2025-66478 has since been marked as a duplicate of CVE-2025-55182 in the official CVE database (the root cause is in React, not Next.js specifically), but both IDs appear in vendor advisories and security tooling. Patching to a fixed Next.js version resolves both.

At FNA Technology, we run production workloads on Next.js 16 with App Router. We treated this as a priority-0 incident on disclosure, assessed impact within hours, and deployed patches the same day. This advisory documents what we found and exactly what to do.

What is React2Shell and how does it work?

React Server Components use a protocol called Flight to serialize and stream component trees from the server to the browser. The client-side React runtime deserializes the Flight payload to reconstruct the component tree.

The vulnerability is in the deserialization side of this protocol. Under specific conditions, a crafted Flight protocol payload can influence server-side execution paths during deserialization — allowing an attacker to execute arbitrary code on the server without any authentication.

The attack vector is the RSC endpoint itself. Any Next.js App Router application that:

...is potentially vulnerable to unauthenticated RCE. CVSS 10.0 is the maximum possible severity score.

Affected versions

Vulnerable:

Not affected:

If you created your app with create-next-app on Next.js 15 or 16 and haven't changed to Pages Router, assume you're affected until you confirm your version.

Patched versions

Upgrade to any of these releases:

Next.js 15: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7
Next.js 16: 16.0.7
Canary:     15.6.0-canary.58, 16.1.0-canary.12

For Next.js 14.x canary users: downgrade to the latest stable 14.x or upgrade to a patched 15/16 release.

How to patch

Step 1: Confirm your current version

# Check installed Next.js version
cat package.json | grep '"next"'

# Or check what's actually installed
node -e "console.log(require('next/package.json').version)"

Step 2: Update to a patched version

# Stay on your current major line — pick the patched release for your version
npm install [email protected]    # if you're on 15.x
npm install [email protected]    # if you're on 16.x

# Or update to latest stable
npm install next@latest

Step 3: Update React packages

The Flight protocol fix is in React itself. Ensure your React packages are on patched versions:

npm install [email protected] [email protected]
# or
npm install [email protected] [email protected]
# or
npm install [email protected] [email protected]

Step 4: Run the official remediation tool

npx fix-react2shell-next

This tool audits your full dependency tree and patches any transitive dependencies that pull in vulnerable React or Next.js versions.

Step 5: Rebuild and deploy

npm run build
# Deploy through your normal CI/CD pipeline

Run smoke tests on critical flows — auth, payments, dashboard — before promoting to production.

How we mitigated React2Shell at FNA Technology

Our remediation ran in three phases across a single working day.

Phase 1 — Inventory and impact assessment (2 hours)

We enumerated all Next.js services and identified which ones:

We cross-referenced deployed versions against the patched version list. We also verified our Vercel deployment configuration — Vercel had begun blocking new deployments using known-vulnerable Next.js versions, which confirmed the severity.

Phase 2 — Patch and upgrade (3 hours)

For each affected service:

# Update Next.js
npm install [email protected]

# Update React
npm install [email protected] [email protected]

# Run remediation tool
npx fix-react2shell-next

# Full CI/CD run including smoke tests

We did not skip the smoke tests. A Next.js major/minor version bump can surface unexpected breaking changes in server components, route handlers, or caching behavior. We tested auth flows, payment processing paths, and critical dashboard routes before promoting to production.

Phase 3 — Hardening and monitoring (ongoing)

Patching the vulnerability is necessary but not sufficient. We layered additional defenses:

WAF rules: We added rules at the reverse proxy layer to inspect RSC/Flight endpoint requests for known exploit payload patterns and reject anomalous requests before they reach the Next.js process.

Log-based detection: We set up alerting on:

Network segmentation: We reviewed and tightened network policies for app servers processing RSC traffic — limiting outbound connectivity to what's required for legitimate application function.

SCA in CI/CD: We added npm audit and OWASP Dependency-Check to our CI pipeline. Vulnerabilities in direct and transitive dependencies now block deployment rather than generating a report nobody reads.

What to do if you haven't patched yet

Check your version first:

cat package.json | grep '"next"'

If you're on an affected version:

If you can't patch immediately:

If you're not sure whether you were exploited:

Review server logs for the period starting December 3, 2025. Look for:

If your logging doesn't capture this detail, your hosting provider's infrastructure logs may. Contact them directly.

Verifying the patch

After deploying the patched version:

# Confirm Next.js version
node -e "console.log(require('next/package.json').version)"

# Confirm React version
node -e "console.log(require('react/package.json').version)"

# Run npm audit — should show no critical vulnerabilities related to RSC
npm audit --audit-level=critical

For teams running Next.js 15 who want to understand the App Router architecture that makes this vulnerability class possible, the Next.js modern web development guide covers React Server Components, the Flight protocol, and the rendering model in detail.