React2Shell RCE Vulnerability: Critical Exploit in React Server Components and Next.js — Patch Immediately
Source: Dev.to
Overview
A severe security vulnerability in React Server Components (RSC), dubbed React2Shell, enables remote code execution (RCE) on servers running React and Next.js applications. The flaw resides in the RSC “Flight” protocol and is caused by unsafe deserialization. Attackers can send crafted payloads that execute arbitrary code on the server.
Impact
- React Server Components (any implementation)
- Next.js App Router (relies on RSC under the hood)
- Any bundler or framework that depends on
react-server-dom-*packages (e.g., Webpack, Turbopack, Parcel)
Using RSC—even without writing server actions—is sufficient for exploitation. Independent security researchers observed exploitation attempts shortly after disclosure.
Affected Packages
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Mitigation Steps
-
Upgrade all RSC packages to a fixed version:
# Choose one of the following versions (or newer) # 19.0.1, 19.1.2, 19.2.1 -
Redeploy your application after updating.
-
Next.js remediation: run the automated tool provided by the Next.js team:
npx fix-react2shell-nextThen upgrade to the patched Next.js release listed in their advisory and redeploy.
-
Rotate all secrets and environment variables.
-
Review logs for suspicious requests or processes.
-
Run security scans on any deployment that was online before patching.
References
- React advisory:
- Next.js advisory: