Security Alert: CVE-2025-55182 (“React2Shell”)

How VAIRIX is responding to a critical React Server Components vulnerability

On December 3, 2025, a critical security vulnerability (CVE-2025-55182) was disclosed in React Server Components, with a CVSS score of 10.0/10.0, being the highest possible. The issue, known as “React2Shell,” impacts React 19 and frameworks such as Next.js, and can allow attackers to run malicious code on servers without authentication.

With reports of exploitation starting just hours after disclosure, treating this as urgent is the safest move.

Scope and affected versions

If your application relies on React Server Components, review your setup right away. The affected stack includes:

• React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
• Next.js versions 15.x and 16.x using the App Router
• Other frameworks that use React Server Components, including React Router, Waku, Vite RSC, and Parcel

How VAIRIX is handling it

We’re already working through this vulnerability across our client projects. React, React Native, and Next.js are at the center of what we build, and after 15 years working with this stack, security reviews and fast patching are part of our normal process.

Right now, our priority is simple: find any systems that could be exposed and apply the fixes needed to keep them protected.

Actions underway

Here’s how we’re handling the response across our projects:

• Full review: Auditing all projects to identify vulnerable versions.
• Patching: Rolling out security updates across affected applications.
• Proactive communication: Contacting clients whose projects need immediate attention
• Continuous monitoring: Tracking updates and guidance from the React and Next.js security teams.

This is the same approach we use for any security issue, tracking advisories closely, keeping dependencies up to date, following secure development practices throughout delivery, and testing carefully around every change.

Get a quick exposure check

If you’re running React 19 or Next.js 15/16 and you’re not fully sure where your application stands, we can help you get clarity quickly. Our team can do a fast assessment, confirm whether you’re exposed, and apply the right fixes with minimal disruption. 

With 15 years of experience working on React and Next.js projects for U.S. teams, we’re used to moving fast on security fixes while keeping the rollout controlled. 

This vulnerability is being actively exploited, so if you’re potentially exposed, it’s worth addressing it right away.

👉Need clarity today? Contact us here.

Official references

For more details, consult the official sources:

• React Security Advisory
• Next.js Security Advisory
• National Vulnerability Database