What is React2Shell?
(CVE-2025-55182 and CVE-2025-66478)
React CVE-2025-55182 and Next.js CVE-2025-66478, now collectively referred to as React2Shell reflect a prototype pollution bug – but not a traditional one. Most prototype pollution bugs require an additional bug to do anything useful for the attacker, but these require just one step.
They’re rated CVSS 10.0 - the highest severity. If you are vulnerable, immediate action is required.
React versions (19.0, 19.1, and 19.2) in conjunction with any of the listed RSC implementations:
Next.js 15, 15.1, 15.2, 15.3, 15.4, 15.5, 16
App Router
React Router RSC preview
Parcel RSC plugin
Vite RSC plugin.
If you are using any of these unpatched, then you may be vulnerable.
React2Shell Incident Hub
Learn how to remediate these critical vulnerabilities.
Status updates
Fastly’s Security Team provides real-time updates regarding the critical remote code execution flaw and related vulnerabilities found in the React framework.
React2Shell’s reach extends to enterprises globally.
Here’s what we’re seeing and what steps enterprises should take, including identifying and patching vulnerable apps immediately.
Need remediation support?
Don't feel overwhelmed—we are here to help.
For any questions or inquiries concerning the React2Shell vulnerability, please email us.
On the evening of December 1, 2025, Vercel informed Fastly of the upcoming disclosure of the vulnerabilities now jointly referred to as React2Shell. After learning about the vulnerabilities, Fastly immediately launched an investigation into our internal systems and began developing detection content to provide swift, proactive support to our customers.
In the following hours, virtual patches were made available for these CVEs to provide breathing room for companies assessing exposure, and it was found that Fastly’s core platform infrastructure is not vulnerable to React2Shell based on our current investigation.
How Fastly Protects You
To prevent remote code execution due to the React2Shell vulnerability, Fastly NGWAF customers are recommended to immediately apply the Virtual Patch for CVE-2025-66478 (which also addresses CVE-2025-55182). On December 12, following information from Vercel and Meta regarding CVE-2025-55184 (Denial of Service) and CVE-2025-55183 (information leak), Fastly rapidly developed and deployed a Virtual Patch for both. These patches were enabled in blocking mode by default for all Fastly NGWAF customers; our existing detection for CVE-2025-55184 also automatically covers the subsequent CVE-2025-67779.
Fastly Compute runs on WebAssembly (Wasm), which strictly isolates every request. This architecture prevents RCE exploits from escaping the execution environment to access the host or other users' data.
Fastly is seeing sustained React2Shell attacks across all industries and regions. Learn what’s happening and the critical steps enterprises should take to patch vulnerable apps.
In the wake of the critical severity React2Shell CVEs, two new CVEs exploiting similar Next.js and React components were announced on December 11. Learn more about these new CVEs.
