×

Security vulnerability has been discovered in React Server

Security vulnerability has been discovered in React Server

Recently, a critical remote code execution (RCE) vulnerability without authentication was discovered in React Server Components — CVE-2025-55182 (React2Shell).

This vulnerability threatens many websites and applications that use the React library and its components, including frameworks built on React (Next.js, Vue.js, etc.).

The vulnerability affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack).

How to fix the current React vulnerability

The fix has been introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the affected packages, please update immediately to one of the patched versions.

If your website runs on React or uses its components, it is important to take the following steps urgently:

  • Update React and your framework to the latest version. All known vulnerabilities, including CVE-2025-55182, have been fixed in the new React releases. Make sure you are using up-to-date package versions.
  • After updating, it is recommended to perform a full audit of your code and dependencies.
  • Apply patches for third-party libraries. If your application uses additional packages or components based on React, ensure they are also updated to the latest secure versions.
  • Strengthen security monitoring on your projects and servers to detect possible exploitation attempts.


A separate risk applies to projects deployed on virtual or dedicated servers. This vulnerability is currently actively exploited by botnets to scan and execute code on vulnerable servers.
If the server has been compromised by a botnet, applying a patch may not be enough — the server may contain other backdoors implanted during the attack. In this case, we recommend backing up all projects and important data, auditing application code, reinstalling the server OS (or ordering a new server for a soft migration), and redeploying the projects with updated packages.

If you do not have the ability or experience to handle this on your own, contact the experienced specialists at the Web Building agency.

01Office in Kiev
Kiev, 02068
st. Akhmatova 9/18
02Brovary office
Brovary, 07405
st. Chornovola 2-A
03Work
Mon-Fri 9: 00-18: 00
Sat. 11-00 -16: 00