Is Your Next.js Project Safe? Inside the Critical React2Shell CVE‑2025‑55182 Vulnerability

Background

Earlier research disclosed React2Shell (CVE‑2025‑55182) affecting Next.js. The initial patch was incomplete, leaving the React Server Components (RSC) surface exposed.

New vulnerabilities in React Server Components (RSC)

Denial‑of‑service (DoS) via source‑code leakage

When a server‑side component is rendered or any component returns a stringified parameter (for example, a value produced by JSON.stringify) that is later interpolated into a response, an attacker can craft a request that forces the server to treat the component’s source as data. The server then writes the component’s source code to the response, leaking implementation details and consuming resources, which can lead to a denial‑of‑service condition.

Source‑code exposure through deserialization loop

RSC deserializes a payload that describes the component tree. A maliciously crafted payload can trigger an infinite recursion inside the deserializer. The server becomes stuck processing the request, exhausting CPU and memory, resulting in a service outage and potentially exposing internal code paths.

Mitigation

Upgrade React and Next.js to versions that contain the security fixes (e.g., React 18.3.0‑rc.2 or later, Next.js 14.2.1+).

Audit all dependencies that import react-server or @next/react-server and rebuild them against the patched libraries.

Disable or strictly validate any API that echoes stringified parameters without proper sanitisation.

Enforce a strict content‑type check and impose size limits on incoming RSC payloads to prevent deserialization abuse.

References

React security announcement: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components