When the React team announced a critical vulnerability in React Server Components on December 3 2025, the JavaScript community collectively held its breath. The flaw – tracked as CVE‑2025‑55182 and informally dubbed React2Shell – allowed unauthenticated attackers to execute arbitrary code on servers running React’s new Server Function protocol. Worse, the default configuration of frameworks like Next.js meant a standard create‑next‑app deployment could be exploited with no code changes. When researchers subsequently discovered additional Denial‑of‑Service (DoS) and source‑code‑leak bugs a week later, it became clear that many production sites were still in danger. This article summarises what happened during the React hack December 2025, which stacks were affected, how to patch, and what steps developers should take to protect their applications.
What happened: a deserialization bug and remote code execution
The root cause of the React hack December 2025 lies in the Flight protocol that powers React Server Components. React translates client‑side requests into HTTP calls to server functions, then deserializes the payloads and executes them on the server. Lachlan Davidson discovered that malformed payloads could bypass validation and influence server‑side execution, effectively giving an attacker remote code execution with no authentication. Because the vulnerable code lived in the react‑server‑dom‑* packages, any framework or bundler that supported React Server Components – including Next.js, React Router, Waku, Parcel’s RSC plugin, Vite’s RSC plugin and the Redwood SDK – inherited the bug.
The vulnerability was rated CVSS 10.0 because exploitation was trivial. A single HTTP request crafted against any Server Function endpoint was enough to achieve a full remote shell. Wiz’s threat research team observed near‑100% success rates in proof‑of‑concept tests and noted that 39% of cloud environments analysed contained vulnerable React or Next.js instances. This combination of ease‑of‑use, unauthenticated access and broad reach triggered the frenzy that the media described as the React hack December 2025.
Timeline: from initial disclosure to follow‑up CVEs
29 Nov 2025 – Vulnerability reported
Security researcher Lachlan Davidson privately reported the bug to the React team on 29 November 2025. The team assessed the issue and prepared patched versions.
3 Dec 2025 – React2Shell disclosed
On 3 December 2025, the React team publicly disclosed CVE‑2025‑55182 and released patched packages react‑server‑dom‑webpack@19.0.1, @19.1.2 and @19.2.1. They urged developers to upgrade immediately and emphasised that applications were vulnerable even if they did not implement server functions – it was enough to have React Server Components enabled. Hosting providers rolled out temporary Web Application Firewall (WAF) rules but the team warned developers not to rely on these mitigations.
5 Dec 2025 – Active exploitation in the wild
Within hours of the disclosure, threat‑intelligence teams observed mass scanning and exploitation attempts. Cloudflare’s security researchers saw traffic from multiple threat groups probing Internet‑facing React Server Component deployments. Attackers used automated vulnerability scanners and asset‑discovery tools to build target lists. Wiz and other vendors confirmed exploitation attempts leading to credential harvesting and cryptomining on compromised hosts.
11 Dec 2025 – New DoS and source‑leak CVEs
After the initial patches, researchers discovered two more vulnerabilities in the same code paths. On 11 December 2025 the React team disclosed CVE‑2025‑55184 (a high‑severity DoS) and CVE‑2025‑55183 (a medium‑severity source‑code exposure). These flaws did not enable remote code execution but could allow attackers to hang the server or retrieve Server Function source code. The team released patched versions 19.0.3, 19.1.4 and 19.2.3 and again urged all users to update.
11–15 Dec 2025 – Vendors release guidance and further fixes
Following the second disclosure, framework maintainers (Next.js, React Router, Waku, Redwood and others) issued new releases. Dynatrace’s security team summarised the situation: any organization running React Server Components or Next.js needed to patch immediately because proof‑of‑concept code was publicly available and active scanning had begun.
Are you affected?
If your application uses React Server Components, you should assume you’re impacted by the React hack December 2025. The vulnerable packages were react‑server‑dom‑webpack, react‑server‑dom‑parcel and react‑server‑dom‑turbopack in versions 19.0, 19.1.0, 19.1.1 or 19.2.0. Frameworks and bundlers such as Next.js, React Router, Waku, Parcel and Vite embed these packages and were therefore affected. Even if your app does not define any custom Server Functions, the mere presence of these packages in your dependency tree exposes you to attack.
Projects that don’t use server components (for example, client‑only React apps) are not vulnerable. Similarly, self‑hosted React Native apps that pin the react version and omit these packages are unaffected. Nevertheless, many modern projects adopt server components for improved performance; if you or your hosting provider enabled any RSC feature (like React Server Functions), you must assume exposure.
Immediate actions to mitigate the React hack December 2025
The critical takeaway from this incident is that there is no safe “wait and see” approach. Vulnerability scanners and exploit kits are freely available; unpatched servers will be compromised quickly. Operations teams should take the following steps:
Audit your dependencies and build pipeline. Use tools like
npm lsor your package‑manager lockfile to identify whetherreact‑server‑dom‑*packages exist in your project. Check the versions of Next.js, React Router or other frameworks. If the vulnerable packages appear, you must upgrade immediately.Upgrade to patched versions. Install patched React packages (
react‑server‑dom‑webpack@19.0.3,19.1.4or19.2.3) or later. For Next.js, upgrade to the latest stable release in your line. The React team provided explicit commands, for example:npm install next@14.2.35for projects on Next.js 13.4–14.x;npm install next@15.1.11for 15.1.x;npm install next@16.0.10for 16.x. Dynatrace recommends this upgrade as the primary remediation step.Update related frameworks. If you use React Router’s experimental RSC APIs, upgrade
react,react‑dom,react‑server‑dom‑parcel,react‑server‑dom‑webpackand any RSC plugin to their latest versions. For Redwood, ensure you are onrwsdk@1.0.0‑alpha.0or later and update yourreact‑server‑dom-*packages. Waku and Parcel users should similarly update thereact‑server‑dom‑webpackdependency.Apply temporary mitigations if you cannot update immediately. Cloudflare and other providers rolled out WAF rules that block known exploit payloads. These rules can buy you a short window of protection while you patch. However, both React and Cloudflare stress that these mitigations are incomplete and should not be relied upon as a long‑term fix.
Disable or limit Server Functions and RSC features. If you can temporarily revert to client‑side rendering, disable server components until the upgrade is complete. Reduce the attack surface by limiting exposed endpoints and requiring authentication for any remaining server functions.
Monitor for exploitation. Review logs of your server functions for unexpected requests. Dynatrace suggests leveraging runtime vulnerability analytics to detect suspicious payloads. You can also monitor network traffic for signs of scanning (for example, repeated HTTP requests to
/_rsc/endpoints).Check for post‑exploitation activity. Wiz observed attackers using compromised servers to harvest credentials and deploy cryptocurrency miners. After patching, inspect environment variables and logs for suspicious commands or file downloads and rotate any exposed credentials.
Patching instructions
Here are concrete upgrade commands for popular stacks affected by the React hack December 2025:
Update React packages
If your project uses
react‑server‑dom‑webpack,react‑server‑dom‑parcelorreact‑server‑dom‑turbopack, update to version 19.0.3, 19.1.4 or 19.2.3 (or later).For projects still on the initial patch versions (
19.0.1,19.1.2or19.2.1), update again to the new patched versions; the first patch was incomplete.
Update Next.js
Follow the React team’s guidance: upgrade to the latest stable release in your major version line. For example:
If you are on a canary release, downgrade to the latest stable version as recommended in the React advisory.
Update React Router, Redwood, Waku and other frameworks
For React Router, update
reactandreact‑domto their latest versions and upgrade thereact‑server‑dompackages and any RSC plugin.For Redwood, upgrade
rwsdkto the latest alpha or beta and ensurereact‑server‑dom‑webpackis up to date.For Waku, Parcel’s RSC plugin, Vite’s RSC plugin and other frameworks, update
react‑server‑dom‑webpackto the latest release.
Temporary mitigations and defence‑in‑depth
While patching is the definitive fix for the React hack December 2025, you may deploy additional safeguards:
Web Application Firewall (WAF) rules. Cloudflare and other security vendors have released specific rules to block known exploit payloads targeting CVE‑2025‑55182. If you operate your own reverse proxy (e.g. Nginx or Envoy), consider adding rules that deny requests containing malicious RSC payloads (characterised by unexpected chunk markers or extremely long
flightfields).Traffic segmentation. Restrict access to your server function endpoints by IP allowlists or by requiring authentication tokens. Many attacks observed in December 2025 relied on unauthenticated access, so even simple gating can thwart opportunistic scans.
Runtime monitoring. Enable runtime protection or intrusion‑detection tools (for example, Dynatrace’s Runtime Vulnerability Analytics) to detect suspicious HTTP requests and code execution. Combine this with continuous scanning of your dependencies to catch new vulnerabilities.
Incident response readiness. Prepare a runbook for incidents: know how to revoke compromised credentials, rotate secrets and restore from backups. Because some threat actors installed cryptominers and harvested cloud keys, quick containment is essential if you were breached.
Lessons from the React hack December 2025
This incident underscores several broader lessons for development teams:
Keep dependencies up‑to‑date and monitor advisories. Many applications were compromised because they ran older packages and had no process to monitor security advisories. Subscribe to security mailing lists and use tools like Dependabot, Snyk or npm‑audit.
Understand your attack surface. Server components blur the line between client and server. If you enable experimental features, ensure you understand their security implications and have a plan to respond to disclosures.
Do not rely solely on hosting providers. Hosting platforms may deploy mitigations, but these are stopgaps. You are responsible for upgrading your codebase.
Adopt defence‑in‑depth. WAF rules, runtime monitoring and network segmentation are complementary tools. Use them to reduce blast radius while you patch.
Be prepared for follow‑up vulnerabilities. As the React team noted, critical CVEs often prompt additional disclosures. Update promptly and verify that fixes address the underlying issues.
Conclusion
The React hack December 2025 was a wake‑up call for the JavaScript ecosystem. A single deserialization bug in a new protocol cascaded into a severe remote‑execution flaw, prompting active exploitation and follow‑up vulnerabilities. The incident shows how quickly attackers weaponise public disclosures – Cloudflare observed scanning within hours and Wiz saw widespread exploitation. The only safe path forward is to audit, patch and monitor. By upgrading your react‑server‑dom packages, updating your framework and applying defence‑in‑depth measures, you can protect your application and your users.
Datronix Tech can help you navigate these urgent security challenges. If you need expert guidance on upgrading your React stack or hardening your server functions, contact our team today.
