Netlify’s response to the critical React & Next.js security vulnerability
December 3, 2025
Update (2025-12-06 19:15 UTC): An official npm package has been released to update affected Next.js apps. Use npx fix-react2shell-next to update now. For more information, check the github repository for react2shell.
Update (2025-12-06 15:42 UTC): As this threat landscape is still evolving in real time, we advise all customers to immediately upgrade all React and Next.js projects to a patched version.
Update (2025-12-06 09:24 UTC): We have deployed further mitigations for newly discovered exploit vectors.
A critical vulnerability (CVE-2025-55182) was recently disclosed in React’s Server Functions protocol, a feature of React Server Components (RSC). React 19.0, 19.1, and 19.2 are affected.
Working closely with the React and Next.js teams, we received early notice and immediately took action to protect our customers.
The vulnerability can be exploited using all RSC implementations, including:
- Next.js versions 15 and 16, up to and including 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, 16.0.6 (CVE-2025-66478)
- React Router RSC Preview
- Vite RSC plugin
In affected configurations, an attacker could craft a request that allows them to execute arbitrary code within the context of the victim’s app.
On December 3, at 14:00 UTC, the Netlify team rolled out a patch that prevents this vulnerability from being exploited on our customers’ sites. Since that time, all Netlify customers are not vulnerable to the exploit. We have found no evidence of exploitation on any Netlify sites.
Please upgrade all React and Next.js projects to a patched version immediately, and, in the case of Next.js, allow automatic updates of the OpenNext Netlify Next.js adapter.
We are working continually with the React and Next.js teams and are committed to keeping your sites secure on Netlify.
This post was last updated on 2025-12-06 at 15:42 UTC
