React2Shell RCE Vulnerability: Critical Exploit in React Server Components and Next.js — Patch Immediately

Rohan Raj Gautam — Wed, 10 Dec 2025 03:28:13 +0000

A severe security vulnerability in React Server Components (RSC) has exposed a large number of React and Next.js applications to remote code execution. Both the React team and the Next.js team have released emergency patches.

If your project uses RSC in any capacity, you should treat this as urgent.

What Happened

React disclosed a flaw in the RSC “Flight” protocol caused by unsafe deserialization.

Attackers can send crafted payloads that execute arbitrary code on the server.

Next.js is directly affected because its App Router relies on RSC under the hood.

Independent security researchers have already observed exploitation attempts shortly after disclosure.

Who Is Affected

You are impacted if you use:

React Server Components (any implementation)
Next.js App Router
Any bundler or framework depending on react-server-dom-* packages (Webpack, Turbopack, Parcel, etc.)

Using RSC—even without writing server actions—is enough to be vulnerable.

How to Fix It

React Projects

Upgrade all RSC packages to patched versions:

react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack

Use one of the fixed versions:

19.0.1
19.1.2
19.2.1
or newer

Redeploy your application after updating.

Next.js Projects

The Next.js team provides an automated remediation tool:

npx fix-react2shell-next

Then upgrade to the patched Next.js release listed in their advisory and redeploy.

Additional Recommended Steps

Rotate all secrets and environment variables.
Review logs for suspicious requests or processes.
Run security scans on your deployment if it was online before patching.

Why This Matters

This is a high-impact RCE vulnerability affecting the default behavior of modern React and Next.js applications. Because RSC loads by default in many setups, the effective attack surface is huge.

If you depend on RSC anywhere in your stack, patching is not optional.

References

React advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Next.js advisory: https://nextjs.org/blog/CVE-2025-66478

Debugging React Native with Reactotron: A Step-by-Step Guide

Rohan Raj Gautam — Mon, 24 Jun 2024 16:36:22 +0000

Debugging a React Native application can sometimes feel like walking through a maze. But what if there was a tool that could streamline the process and give you real-time insights into your app’s behavior? Enter Reactotron—a powerful desktop application that edits React Native apps. In this blog, I’ll walk you through the steps to integrate Reactotron with React Native and make the most of its powerful debugging features.

What is Reactotron?

Reactotron is a desktop app by Infinite Red that provides a suite of tools for inspecting, logging, and interacting with your React Native application. It supports real-time logging, state inspection, API request monitoring, and more. Reactotron is like having a supercharged console.log at your fingertips but with way more capabilities.

Why Use Reactotron?

Real-time event tracking: Monitor actions, state changes, and API calls as they happen.
Performance monitoring: Track how long actions and renders take.
State management: Inspect and modify your app's state.
Easy integration: Simple setup process with minimal configuration.

Step-by-Step Integration

Let's dive into the step-by-step process of integrating Reactotron into your React Native project.

Step 1: Install Reactotron React Native
First, you'll need to add Reactotron to your project. Open your terminal and navigate to your React Native project's root directory. Then, run the following command to install Reactotron and its React Native integration:



yarn add reactotron-react-native -D

Or if you prefer npm:



npm i --save-dev reactotron-react-native

Step 2: Configure Reactotron
Next, you'll need to configure Reactotron in your project. Create a new file named ReactotronConfig.js in your project’s root directory. Add the following code to set up Reactotron:



import Reactotron from "reactotron-react-native";

Reactotron.configure() // controls connection & communication settings
  .useReactNative() // add all built-in react native plugins
  .connect(); // let's connect!

Or connect to AsyncStorage if you are using that:



import Reactotron from 'reactotron-react-native';
import AsyncStorage from '@react-native-async-storage/async-storage';

Reactotron.setAsyncStorageHandler(AsyncStorage)
  .configure({
    name: 'Tirios',
  })
  .useReactNative({
    asyncStorage: false, // there are more options to the async storage
    networking: {
      // optionally, you can turn it off with false.
      ignoreUrls: /symbolicate/,
    },
    editor: false, // there are more options to editor
    errors: { veto: stackFrame => false }, // or turn it off with false
    overlay: false, // just turning off overlay
  })
  .connect();

Step 3: Integrate Reactotron Configuration
You must ensure Reactotron configuration is imported and initialized when your app starts. Open your index.js or App.js (if you're using Expo) file and import your ReactotronConfig.js at the very top:



if (__DEV__) {
  require('./ReactotronConfig');
}

This will initialize Reactotron when your app starts.

Step 4: Start Reactotron
Download and install the Reactotron desktop application from the Reactotron releases page. Open the app, and you'll see a dashboard ready to connect to your React Native app.

Step 5: Use Reactotron in Your Project
Now that Reactotron is configured, you can start using it in your project.

Refresh your app (or start it up react-native start) and have a look at Reactotron now. Do you see the CONNECTION line? Click that to expand.

Troubleshooting

Android: If you are using an Android device or an emulator run the following command to make sure it can connect to Reactotron:



adb reverse tcp:9090 tcp:9090

Conclusion

Integrating Reactotron into your React Native project is a straightforward process, and the benefits it brings to your development workflow are immense. So, give it a try, and take your React Native debugging to the next level!

Happy debugging!

Forem: Rohan Raj Gautam