---
title: "Netlify’s response to the critical React security vulnerability"
description: "Netlify has patched a critical remote code execution vulnerability in React Server Functions. All Netlify customers are protected, but must upgrade immediately."
source: "https://www.netlify.com/changelog/2025-12-03-react-security-vulnerability-response/"
last_updated: "2026-07-09T09:11:57.000Z"
---
**Update (2025-12-08 22:45 UTC):** Sites that have not yet upgraded to a patched version of Next.js (or other affected framework) must upgrade immediately. Following upgrade, we also recommend rotating all credentials that are [scoped for access within Netlify Functions](https://docs.netlify.com/build/functions/environment-variables/#declare-variables), if you have been running a vulnerable version on or after December 4th, 2025 at 1:00 PM PT.

Over the last many days, several variants of the original React2Shell exploit have emerged. Netlify is working alongside others in a coordinated industry effort to monitor for exploit variants and has been adjusting our blocking mechanisms accordingly.

In addition to these attack blocking mechanisms, we are now blocking all further deploys for sites using versions of software affected by [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182) and [CVE-2025-66478](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp).

**Update (2025-12-06 19:15 UTC):** An official npm package has been released to update affected Next.js apps. Use `npx fix-react2shell-next` to update now. For more information, check the [github repository for `react2shell`](https://github.com/vercel-labs/fix-react2shell-next).

**Update (2025-12-06 15:42 UTC):** As this threat landscape is still evolving in real time, **we advise all customers to immediately upgrade all React and Next.js projects to a patched version**.

**Update (2025-12-06 09:24 UTC):** We have deployed further mitigations for newly discovered exploit vectors.

A critical vulnerability ([CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182)) was recently disclosed in React’s [Server Functions](https://react.dev/reference/rsc/server-functions) protocol, a feature of React Server Components (RSC). React 19.0, 19.1, and 19.2 are affected.

Working closely with the React and Next.js teams, we received early notice and immediately took action to protect our customers.

The vulnerability can be exploited using all RSC implementations, including:

-   Next.js versions 15 and 16, up to and including 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, 16.0.6 ([CVE-2025-66478](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp))
-   [React Router RSC Preview](https://reactrouter.com/how-to/react-server-components)
-   [Vite RSC plugin](https://www.npmjs.com/package/@vitejs/plugin-rsc)

In affected configurations, an attacker could craft a request that allows them to **execute arbitrary code within the context of the victim’s app**.

On December 3, at 14:00 UTC, the Netlify team rolled out a patch that prevents this vulnerability from being exploited on our customers’ sites. Since that time, **all Netlify customers are not vulnerable** to the exploit. We have found **no evidence of exploitation** on any Netlify sites.

**Please upgrade all React and Next.js projects to a patched version immediately**, and, in the case of Next.js, [**allow automatic updates of the OpenNext Netlify Next.js adapter**](https://docs.netlify.com/build/frameworks/framework-setup-guides/nextjs/overview/#nextjs-support-on-netlify).

We are working continually with the React and Next.js teams and are committed to keeping your sites secure on Netlify.

* * *

_This post was last updated on 2025-12-08 at 22:45 UTC_