FREE Workshop on December 16th »
Book your seat
Live Demo 🔥
Important
Vulnerability in React Server Components (CVE-2025-66478)
  • react-ecosystem

React2Shell Security Issue: what React Bricks users need to know

A recently discovered vulnerability in React Server Components, informally called React2Shell, may affect Next.js projects. React Bricks itself is not affected, but we strongly recommend updating to the latest React and Next.js patched versions.
Matteo Frana
Matteo Frana
Dec 09, 2025
React2Shell Security Issue: what React Bricks users need to know

Intro

A recently disclosed security issue affecting React Server Components (RSC)—informally known as React2Shell—has raised understandable concern across the React and Next.js ecosystem. Although this is not a React Bricks vulnerability, many of our customers deploy React Bricks inside Next.js apps that use RSC, so we want to make sure you stay safe and informed.

In this post we'll explain what React2Shell is, why it matters, and what you should do to protect your projects.

What Is React2Shell (CVE-2025-55182)?

React2Shell (CVE-2025-55182) refers to a critical vulnerability in the React Server Components (RSC) architecture, specifically in how RSC handles serialization and deserialization between server and client through the Flight protocol. With a properly crafted payload, the flow can enable remote code execution (RCE) in applications running unpatched versions of React or frameworks built on RSC, including Next.js.

The vulnerability was responsibly disclosed and patched versions are now available.

Is React Bricks affected?

No — React Bricks itself is not affected.

React Bricks runs in your Next.js (or Astro, Remix, Gastby) project, and the vulnerability lies in the underlying React's Server Components internals, not in any React Bricks code.

However, because many React Bricks users run Next.js with RSC enabled (App Router), we strongly recommend upgrading to the latest patched versions of React and Next.js to ensure your project is protected.

Who Is Affected?

Essentially, anyone using a React framework that supports React Server Components (RSC) and has not yet updated to a patched release may be affected.

For React Bricks customers, this primarily means projects using Next.js with the App Router, and—though far less common—those experimenting with Remix RSC previews.

If you are using Next.js, the Vercel React2Shell Bulletin provides full details.

According to Vercel, the affected Next.js versions are:

  • Next.js 15.0.x before 15.0.5
  • Next.js 15.1.x before 15.1.9
  • Next.js 15.2.x before 15.2.6
  • Next.js 15.3.x before 15.3.6
  • Next.js 15.4.x before 15.4.8
  • Next.js 15.5.x before 15.5.7
  • Next.js 16.0.x before 16.0.7
  • Next.js 14 canaries after 14.3.0-canary.76
  • Next.js 15 canaries before 15.6.0-canary.58
  • Next.js 16 canaries before 16.1.0-canary.12

Patched Versions

The React and Next.js teams have released patched versions that address the React2Shell vulnerability.
To stay secure, you should use one of the patched React RSC releases and one of the patched Next.js framework releases listed below.

React patched versions (react-server-dom-*)

  • 19.0.1
  • 19.1.2
  • 19.2.1

Next.js patched versions

  • 15.0.5
  • 15.1.9
  • 15.2.6
  • 15.3.6
  • 15.4.8
  • 15.5.7
  • 16.0.7

React Bricks Starters Updated

All official React Bricks starters and example projects have been updated to use the latest patched versions of Next.js and React.
If you create a new project from one of our starters today, it will already include the fixed releases and is not affected by the React2Shell vulnerability.

For existing projects, please follow the upgrade instructions in the next section to ensure your application is fully protected.

How to Fix the Issue

To ensure your project is protected from the React2Shell vulnerability, we recommend updating your dependencies to the patched versions listed above.
For Next.js users, the simplest way to do this is by using the official automated upgrade utility.

Automatic upgrade for Next.js

You can automatically update your Next.js project to a patched release by running:

npx fix-react2shell-next

This tool updates your Next.js version and related React packages to secure versions.

Manual upgrade

If you prefer to update manually—or if your setup requires it—update your dependencies to one of the patched versions listed in the previous section.

For example:

npm install next@latest react@latest react-dom@latest

or with your package manager of choice:

yarn add next@latest react@latest react-dom@latest
pnpm add next@latest react@latest react-dom@latest

After upgrading, be sure to rebuild and redeploy your application so the patched versions are active in production.

Final Thoughts

Security issues in foundational technologies like React Server Components can be concerning, but the React and Next.js teams acted quickly to deliver patches.
React Bricks itself is not affected by the React2Shell vulnerability, but if your project uses Next.js with RSC enabled, updating to a patched release is essential to ensure full protection.

If you need support during the upgrade process, feel free to reach out in our Discord community or through your direct support channels, depending on your React Bricks plan—we are here to help.