Let's see how we can help you!
Leave a message and our dedicated advisor will contact you.
Send us a message
0/10000
React2Shell and the race against time. Vercel patches critical Next.js vulnerability
Published: 00:00 12/07/2025
Cyberbezpieczeństwo
Good morning on this fine Sunday! I hope your weekend is going smoothly, though if you're a dev running Next.js, you might want to put that croissant down and open your laptop.
The cybersecurity world is buzzing about a new vulnerability with a catchy but terrifying name: "React2Shell" (CVE-2025-55182). As we reported previously, this flaw received a maximum CVSS score of 10.0 – there is no room for downplaying this.
What’s the deal?
In short: we’re looking at a flaw in React Server Components that impacts applications built on Next.js. The issue affects framework versions from 15.0.0 to 16.0.6. If your app is running on any of these—you are in the danger zone.
The situation is serious. As Vercel reports, Proof-of-Concept exploits are already publicly available, and active probing has been detected in traffic logs. "React2Shell" isn't just a clever name—it implies the potential for Remote Code Execution (RCE), which is basically every admin’s worst nightmare.
Vercel’s Response – Shield and Sword
Credit where credit is due, the Vercel team didn’t wait around. Before the CVE was even announced to the world, they had already deployed rules to their WAF (Web Application Firewall) to block known attack patterns. Furthermore:
- They are blocking new deployments for projects using vulnerable versions of Next.js.
- They released a quick-fix tool:
npx fix-react2shell-next. - They shared mitigation strategies with other CDN and WAF providers to protect the broader ecosystem.
These actions represent a "defense-in-depth" approach, but remember—a WAF is just a bandage. The only permanent cure is patching your packages. Interestingly, this vulnerability played a role in the recent Cloudflare outage – when the company updated WAF rules in response to React2Shell, it triggered a cascading failure that took down 28% of the internet.
Bug Hunting (and Bounties)
Vercel is confident enough in their defenses (or determined enough to harden them) that they’ve partnered with HackerOne. They are offering serious cash for anyone who can bypass their platform protections regarding this specific CVE:
- $25,000 for High severity bugs.
- $50,000 for Critical bugs.
So, if you have a free afternoon and a knack for breaking things, you might want to take a shot at it.
What you need to do NOW
Don't assume "it'll be fine" just because your startup is small. Bots don't discriminate.
- Check your Next.js version: Look at your
package.jsonor typenext.versionin your browser console. - Update: If you are in the 15.0.0 – 16.0.6 range, update to a patched version immediately.
- Monitor: Vercel suggests reviewing logs for unusual POST requests, though they warn that function timeouts alone aren't a reliable indicator of compromise (they could just be scanners).
For Vercel customers, a special banner has been enabled on the dashboard to alert you if a production deployment is vulnerable. Treat that banner like a fire alarm.
Conclusion: When "Zero Day" Stops Being a Myth
CVE-2025-55182 is an unpleasant reminder that even code written by the world's best engineers, backed financially by Meta and Vercel, is not free from fundamental errors.
Context: 0-Day Vulnerabilities: The Invisible Weapon - A comprehensive analysis of the zero-day phenomenon, from technical anatomy to the black market and defense strategies.
Stay safe, code securely, and enjoy the rest of your weekend (hopefully)!
Aleksander
Sources: Vercel Blog - Resources for protecting against 'React2Shell'
About the Author
Aleksander Zębrowski
Chief Technology Officer at SecurHub.pl
PhD candidate in neuroscience. Psychologist and IT expert specializing in cybersecurity.
Related Articles
Cyberbezpieczeństwo
Hunting Architecture: How to Build a Modern SOC That Doesn’t Just Look, But Sees (Extended Version)
A comprehensive guide to SIEM transformation. From data normalization, through the "Pyramid of Pain", to analyst psychology. Learn how to go beyond simple signatures and start detecting behaviors.
18:26 02.01.2026
12 min
Cyberbezpieczeństwo
mObywatel and Facade Transparency
The release of the mObywatel source code was supposed to be a celebration of transparency. Instead, we got a lesson in "malicious compliance," right-click blockers, and proof that the Polish administration still confuses security with secrecy.
17:43 31.12.2025
9 min
Cyberbezpieczeństwo
2025 Zero-Day Report: What the Record Number of Chrome Flaws Says About Your Corporate Security
Eight critical vulnerabilities in a single year. We analyze how sophisticated APT groups exploit the V8 engine and why traditional sandboxing is no longer enough in 2025.
13:01 23.12.2025
7 min
Comments
Loading comments...