CVE-2025-55182 and CVE-2025-66478 (“React2Shell”) – All you need to know

A critical vulnerability known as "React2Shell" has been identified in React and Next.js that allows remote, potentially unauthenticated attackers to execute arbitrary code through React Server Function endpoints. The vulnerability is nearly 100% exploitable in default configurations, though no proof of concept exploits have been confirmed as legitimate. React servers using Server Function endpoints or supporting Server Components are at risk, as are Next.js applications using the App Router in default settings. The affected packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, with fixed versions available for upgrade. Mitigation strategies include upgrading to patched versions or, for Next.js, migrating back to the Pages Router. JFrog provides tools for tracking and addressing these vulnerabilities through its Xray platform and open-source detectors.