Web Development

Security Advisory: Next.js React2Shell Vulnerability (CVE-2025-66478 / CVE-2025-55182)

December 7, 2025

5 min read

FNA Team

Security Advisory: Next.js React2Shell Vulnerability (CVE-2025-66478 / CVE-2025-55182)

A new critical vulnerability has been disclosed in the React Server Components (RSC) "Flight" protocol, impacting the Next.js ecosystem and any apps built on React 19 with server components. The issue is commonly referred to as React2Shell and is tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js).

Although CVE-2025-66478 has since been marked as a duplicate of CVE-2025-55182 in the official CVE database, the Next.js ecosystem and most vendor advisories still reference it explicitly, so you'll see both IDs in tooling and security feeds.

At FNA Technology, we build and run production workloads on Next.js 16, React 19, and App Router, so we treated this as a priority-0 incident, fully assessed impact, and deployed patches across our environments.

What is React2Shell (CVE-2025-55182 / CVE-2025-66478)?

React Server Components use a protocol called Flight to serialize and deserialize data between the browser and the server. The React2Shell vulnerability comes from an unsafe deserialization behavior in this protocol.

Under specific conditions, an attacker can send a specially crafted request that gets deserialized in a way that lets them influence server-side execution paths. In vulnerable configurations this can lead to unauthenticated remote code execution (RCE) on the server – with a maximum severity score of CVSS 10.0 (Critical).

Because Next.js App Router is built on top of React Server Components, the same issue flows downstream into Next.js and is tracked as CVE-2025-66478 in the official Next.js security advisory.

Which Next.js apps are affected?

According to the official Next.js advisory, the following configurations are affected when using App Router:

Next.js 15.x
Next.js 16.x
Next.js 14.3.0-canary.77 and later canary releases (when using App Router)

The following are not affected:

Next.js 13.x
Stable Next.js 14.x
Apps using Pages Router only
Edge Runtime deployments

If you're running a "standard" App Router project created using create-next-app on Next.js 15 or 16, assume you're affected until you prove otherwise.

Fixed Next.js versions

The vulnerability is fully resolved in the following patched Next.js releases:

15.0.5
15.1.9
15.2.6
15.3.6
15.4.8
15.5.7
16.0.7

Patched canary releases:

15.6.0-canary.58
16.1.0-canary.12

If you're on Next.js 14.3.0-canary.77+, the official guidance is to downgrade to the latest stable 14.x or upgrade into a patched 15/16 line.

How we mitigated React2Shell at FNA Technology

We followed a three-step approach to secure our own Next.js workloads:

1. Inventory & impact analysis

Enumerated all Next.js services and confirmed which ones use App Router, run on Next.js 15/16 or 14.3.0-canary.77+, and expose internet-facing routes
Cross-checked deployed versions against the patched versions above
Verified our infrastructure providers' stance on the CVE (e.g., some platforms now block new deployments that use vulnerable Next.js versions by default)

2. Patch and upgrade

On affected services we:

Updated Next.js to the latest patched version in the same minor line
Updated React / RSC packages to patched versions (19.0.1, 19.1.2, 19.2.1), ensuring the hardened Flight protocol implementation is present
Ran the official Next.js helper: npx fix-react2shell-next
Performed a full CI/CD pipeline run and smoke tests on critical flows (auth, payments, dashboards)

bash

# examples – pick the line you use
npm install next@15.0.5
npm install next@16.0.7
npm install next@15.6.0-canary.58   # if you must stay on canary

bash

npx fix-react2shell-next

3. Hardening & monitoring

Even with patches applied, we layered additional defenses:

WAF / reverse proxy rules to inspect RSC/Flight endpoints and block known exploit patterns
Log-based detection for suspicious RSC requests and unusual 500 responses originating from RSC routes
Stricter network segmentation for app servers that process RSC traffic
Regular security tests (SCA, SAST, DAST) focusing on React/Next.js RSC use

What you should do if you run Next.js in production

If you're operating a production Next.js app, we recommend:

Immediately determine if you're affected

Check your package.json for next version
If you're on 15.x, 16.x, or 14.3.0-canary.77+ and using App Router, treat this as critical

Upgrade to a patched version

Move to one of the fixed releases listed above
Run npx fix-react2shell-next to ensure your dependency tree is fully patched

Upgrade React / RSC

Ensure your React 19 stack is on patched versions that include the hardened Flight protocol.

Review logs and monitoring

Look for suspicious RSC-related traffic and unexplained 500s around RSC endpoints since December 3, 2025.

Coordinate with your hosting provider

Some providers are auto-blocking vulnerable deployments and may offer additional detection and shielding capabilities.

Our commitment

FNA Technology will continue to:

Monitor upstream advisories from React, Next.js, and major cloud providers
Roll out security fixes rapidly across our managed environments
Share practical mitigation guidance for modern React/Next.js stacks

If you run a Next.js or React 19 application and need help assessing or fixing your exposure to React2Shell (CVE-2025-55182 / CVE-2025-66478), we're happy to assist with audits, upgrades, and secure architecture reviews.

#security#Next.js#React#vulnerability#CVE#React Server Components#RSC#web development#cybersecurity#App Router

Share this article:

Written by FNA Technology

We are a team of developers, designers, and innovators passionate about building the future of technology. Specializing in AI, automation, and scalable software solutions.

Work with us

Web Development

Security Advisory: Next.js React2Shell Vulnerability (CVE-2025-66478 / CVE-2025-55182)

December 7, 2025

5 min read

FNA Team

What is React2Shell (CVE-2025-55182 / CVE-2025-66478)?

Because Next.js App Router is built on top of React Server Components, the same issue flows downstream into Next.js and is tracked as CVE-2025-66478 in the official Next.js security advisory.

Which Next.js apps are affected?

According to the official Next.js advisory, the following configurations are affected when using App Router:

Next.js 15.x
Next.js 16.x
Next.js 14.3.0-canary.77 and later canary releases (when using App Router)

The following are not affected:

Next.js 13.x
Stable Next.js 14.x
Apps using Pages Router only
Edge Runtime deployments

If you're running a "standard" App Router project created using create-next-app on Next.js 15 or 16, assume you're affected until you prove otherwise.

Fixed Next.js versions

The vulnerability is fully resolved in the following patched Next.js releases:

15.0.5
15.1.9
15.2.6
15.3.6
15.4.8
15.5.7
16.0.7

Patched canary releases:

15.6.0-canary.58
16.1.0-canary.12

If you're on Next.js 14.3.0-canary.77+, the official guidance is to downgrade to the latest stable 14.x or upgrade into a patched 15/16 line.

How we mitigated React2Shell at FNA Technology

We followed a three-step approach to secure our own Next.js workloads:

1. Inventory & impact analysis

Enumerated all Next.js services and confirmed which ones use App Router, run on Next.js 15/16 or 14.3.0-canary.77+, and expose internet-facing routes
Cross-checked deployed versions against the patched versions above
Verified our infrastructure providers' stance on the CVE (e.g., some platforms now block new deployments that use vulnerable Next.js versions by default)

2. Patch and upgrade

On affected services we:

Updated Next.js to the latest patched version in the same minor line
Updated React / RSC packages to patched versions (19.0.1, 19.1.2, 19.2.1), ensuring the hardened Flight protocol implementation is present
Ran the official Next.js helper: npx fix-react2shell-next
Performed a full CI/CD pipeline run and smoke tests on critical flows (auth, payments, dashboards)

bash

# examples – pick the line you use
npm install next@15.0.5
npm install next@16.0.7
npm install next@15.6.0-canary.58   # if you must stay on canary

bash

npx fix-react2shell-next

3. Hardening & monitoring

Even with patches applied, we layered additional defenses:

WAF / reverse proxy rules to inspect RSC/Flight endpoints and block known exploit patterns
Log-based detection for suspicious RSC requests and unusual 500 responses originating from RSC routes
Stricter network segmentation for app servers that process RSC traffic
Regular security tests (SCA, SAST, DAST) focusing on React/Next.js RSC use

What you should do if you run Next.js in production

If you're operating a production Next.js app, we recommend:

Immediately determine if you're affected

Check your package.json for next version
If you're on 15.x, 16.x, or 14.3.0-canary.77+ and using App Router, treat this as critical

Upgrade to a patched version

Move to one of the fixed releases listed above
Run npx fix-react2shell-next to ensure your dependency tree is fully patched

Upgrade React / RSC

Ensure your React 19 stack is on patched versions that include the hardened Flight protocol.

Review logs and monitoring

Look for suspicious RSC-related traffic and unexplained 500s around RSC endpoints since December 3, 2025.

Coordinate with your hosting provider

Some providers are auto-blocking vulnerable deployments and may offer additional detection and shielding capabilities.

Our commitment

FNA Technology will continue to:

Monitor upstream advisories from React, Next.js, and major cloud providers
Roll out security fixes rapidly across our managed environments
Share practical mitigation guidance for modern React/Next.js stacks

#security#Next.js#React#vulnerability#CVE#React Server Components#RSC#web development#cybersecurity#App Router

Share this article:

Written by FNA Technology

We are a team of developers, designers, and innovators passionate about building the future of technology. Specializing in AI, automation, and scalable software solutions.

Work with us