On December 3, 2025, React2Shell (CVE-2025-55182) was identified as a critical remote code execution (RCE) vulnerability in React Server Components. It is one of the most significant web framework vulnerabilities of 2025 due to its low attack complexity and wide range of impacted production applications. The vulnerability makes it possible for an unauthorized attacker to create malicious requests that take advantage of server-side rendering and component hydration boundaries, allowing the server to execute arbitrary code. The vulnerability was given a maximum-severity rating because it affects popular stacks like Next.js, even in situations where developers had not written any custom code. Within hours of release, it was exploited on a large scale. Exploits have included installing back doors, downloaders, and cryptocurrency miners (https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182).
Do you maintain a Next.js 15/16 application? Fortunately, there is now a vulnerability scanner that can inform you if you are vulnerable: react2shell-scanner.
Here at Rapid Development Group, we have numerous sites that use both Next.js and React Server Components. When I woke up the morning of December 4, my web development news feeds were full of details about the vulnerability, panicked developers, and compromised sites. It was very alarming, to say the least. As I sipped my coffee and absorbed the details, my heart started racing. This was not a drill! The only real resolution to the vulnerability is to upgrade Next.js, so I started building that across our sites. I then logged into several production servers to start examining if we had any intrusions. My heart started to slow when I didn’t find any. What a relief!
Did we just get lucky? No, we have several very intentional approaches to our applications that guard against these sort of vulnerabilities. The first is using a WAF like Cloudflare, which blocked it at the firewall level (https://blog.cloudflare.com/waf-rules-react-vulnerability/). The second is our choice of web host, Upsun (formerly Platform.sh). Upsun has a read-only filesystem. Writable directories can be mounted if necessary, but none of the root filesystem is writable, on purpose. This has many benefits, one of which is security (https://devcenter.upsun.com/posts/we-made-our-infrastructure-read-only-and-never-looked-back/). This is one of the many reasons why chose Upsun to host the apps we develop.
Have questions about Next.js, secure web software, or how we work? Contact us and let us know!
Need a fresh perspective on a tough project?
Let’s talk about how RDG can help.
About the Author
Sam Oltz
Sam is a seasoned web developer who is passionate about seeing technology bring people together, enhance organizations, and transform entire industries.