HomeMontech Design Logo

Critical Security Vulnerability in React Server Components

Esther Howard's avatar

Montech Team

blog-details-cover

Critical Security Vulnerability in React Server Components (React 2 Shell)

In early December 2025, the React team disclosed a critical security vulnerability affecting React Server Components (RSC), commonly referred to as the “React 2 Shell” vulnerability. This issue allows unauthenticated remote code execution (RCE) under specific server configurations, posing a serious risk to production applications.

If your application uses React Server Components, Next.js App Router, or any framework built on top of RSC, immediate action is required.

What Is the React 2 Shell Vulnerability?

The React 2 Shell vulnerability occurs due to improper handling of serialized server component payloads. An attacker can craft a malicious request that injects executable code into the server-side rendering pipeline.

When exploited, this vulnerability can allow attackers to:

  • Execute arbitrary code on the server
  • Access environment variables (API keys, secrets)
  • Read or modify backend data
  • Escalate privileges within your infrastructure

⚠️ Severity: Critical
⚠️ Authentication Required: No
⚠️ Impact: Full server compromise in worst-case scenarios

How the Attack Works (High-Level)

React Server Components rely on a specialized payload format to stream component data from the server to the client. Due to insufficient validation in affected versions:

  • An attacker sends a specially crafted RSC request
  • Malicious payload bypasses validation checks
  • Server deserializes and executes injected code
  • Attacker gains remote execution access

This is especially dangerous because the attack does not require authentication and can be executed remotely.

Affected Versions

The vulnerability affects multiple versions of React using Server Components:

Vulnerable Versions

  • React 19.0.0
  • React 19.1.0 – 19.1.1
  • React 19.2.0

Patched Versions

Upgrade immediately to one of the following:

  • React 19.0.1
  • React 19.1.2
  • React 19.2.1

🛠 How to Fix the Issue

1. Upgrade React Immediately

Run the following command based on your package manager:

npm install react@latest react-dom@latest

or

pnpm up react react-dom

or

yarn upgrade react react-dom

2. Update Your Framework

All users should upgrade to the latest patched version in their release line: If you're using Next.js:

npm install next@14.2.35  // for 13.3.x, 13.4.x, 13.5.x, 14.x
npm install next@15.0.7   // for 15.0.x
npm install next@15.1.11  // for 15.1.x
npm install next@15.2.8   // for 15.2.x
npm install next@15.3.8   // for 15.3.x
npm install next@15.4.10  // for 15.4.x
npm install next@15.5.9   // for 15.5.x
npm install next@16.0.10  // for 16.0.x

npm install next@15.6.0-canary.60   // for 15.x canary releases
npm install next@16.1.0-canary.19   // for 16.x canary releases

If your app was running a vulnerable version:

  • Rotate API keys
  • Regenerate database credentials
  • Review access logs for suspicious activity

Additional Security Hardening Tips

Even after upgrading, we strongly recommend the following best practices:

  • Enable Web Application Firewall (WAF)
  • Validate all server-side inputs
  • Restrict server component endpoints where possible
  • Monitor logs for abnormal RSC payloads
  • Run regular dependency audits

Upgrade immediately.
This vulnerability is actively exploitable and poses a significant risk to production systems.

Final Thoughts

React Server Components unlock powerful performance benefits—but they also introduce new attack surfaces. The React 2 Shell vulnerability is a strong reminder that server-side rendering is still server-side code and must be treated with the same security rigor as any backend system.