CVE-2025-55182 is a critical pre-authentication remote code execution vulnerability in React Server Components.
It affects specifically versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0 of RSC packages:
and frameworks that use these affected packages, including Next.js 15.x and 16.x using the App Router.
- Next.js 15.x
- Next.js 16.x
- Next.js 14.3.0-canary.77 and later canary releases
The vulnerability has a maximum severity rating of CVSS 10.0.
The vulnerable code unsafely de-serializes payloads from HTTP requests to Server Function endpoints. The flaw has been dubbed React2Shell. Next.js is affected by the same vulnerability (CVE-2025-66478 rejected in the National Vulnerability Database). It has been widely exploited as reported by Cybersecurity and Infrastructure Security Agency (CISA).
The vulnerability has been fixed in:
- React: 19.0.1, 19.1.2, 19.2.1
- Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+
See more details on: