Hunting down the React2Shell vulnerability across enterprise codebases (part 1)

In anticipation of a critical security vulnerability identified as CVE-2025-55182, which allows unauthenticated remote code execution in React Server Components, this post offers guidance on using Sourcegraph code search queries and Deep Search to locate and manage affected projects. The vulnerability, reported by Lachlan Davidson on November 29, 2025, impacts versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of specific React Server Components packages, necessitating checks not only for direct use but also within dependent frameworks like Next.js and React Router. The post recommends employing Sourcegraph's CLI or web app to identify vulnerabilities in both public and private codebases, emphasizing the need to account for package versions that may appear upgradable yet remain pinned in configuration files. Additionally, Deep Search is suggested for executing complex queries and conducting thorough investigations, while a future installment promises to address fixing and tracking vulnerable code.