React2Shell and the race against time. Vercel patches critical Next.js vulnerability
Good morning on this fine Sunday! I hope your weekend is going smoothly, though if you're a dev running Next.js, you might want to put that croissant down and open your laptop.
The cybersecurity world is buzzing about a new vulnerability with a catchy but terrifying name: "React2Shell" (CVE-2025-55182).
What’s the deal?
In short: we’re looking at a flaw in React Server Components that impacts applications built on Next.js. The issue affects framework versions from 15.0.0 to 16.0.6. If your app is running on any of these—you are in the danger zone.
The situation is serious. As Vercel reports, Proof-of-Concept exploits are already publicly available, and active probing has been detected in traffic logs. "React2Shell" isn't just a clever name—it implies the potential for Remote Code Execution (RCE), which is basically every admin’s worst nightmare.
Vercel’s Response – Shield and Sword
Credit where credit is due, the Vercel team didn’t wait around. Before the CVE was even announced to the world, they had already deployed rules to their WAF (Web Application Firewall) to block known attack patterns. Furthermore:
- They are blocking new deployments for projects using vulnerable versions of Next.js.
- They released a quick-fix tool:
npx fix-react2shell-next. - They shared mitigation strategies with other CDN and WAF providers to protect the broader ecosystem.
These actions represent a "defense-in-depth" approach, but remember—a WAF is just a bandage. The only permanent cure is patching your packages.
Bug Hunting (and Bounties)
Vercel is confident enough in their defenses (or determined enough to harden them) that they’ve partnered with HackerOne. They are offering serious cash for anyone who can bypass their platform protections regarding this specific CVE:
- $25,000 for High severity bugs.
- $50,000 for Critical bugs.
So, if you have a free afternoon and a knack for breaking things, you might want to take a shot at it.
What you need to do NOW
Don't assume "it'll be fine" just because your startup is small. Bots don't discriminate.
- Check your Next.js version: Look at your
package.jsonor typenext.versionin your browser console. - Update: If you are in the 15.0.0 – 16.0.6 range, update to a patched version immediately.
- Monitor: Vercel suggests reviewing logs for unusual POST requests, though they warn that function timeouts alone aren't a reliable indicator of compromise (they could just be scanners).
For Vercel customers, a special banner has been enabled on the dashboard to alert you if a production deployment is vulnerable. Treat that banner like a fire alarm.
Stay safe, code securely, and enjoy the rest of your weekend (hopefully)!
Aleksander
Sources: Vercel Blog - Resources for protecting against 'React2Shell'
About the Author
Dyrektor ds. Technologii w SecurHub.pl
Doktorant z zakresu neuronauki poznawczej. Psycholog i ekspert IT specjalizujący się w cyberbezpieczeństwie.
Powiązane artykuły
Jeden adres, by rządzić (cyber)bezpieczeństwem. Co warto wiedzieć o nowym portalu cyber.gov.pl?
Polska cyberobrona to system o dwóch twarzach. Z jednej strony nowa witryna cyber.gov.pl, z drugiej – oficjalne przyznanie się do posiadania ofensywnej cyberbroni. Odkrywamy, jak działa ten dualizm.
Polska idzie na wojnę z dezinformacją. I sypie na nią rekordowe pieniądze
W 2026 roku Polska planuje przeznaczyć rekordowe środki na walkę z dezinformacją. Analizujemy, co kryje się za ambitnymi planami rządu, od wielkich kampanii społecznych po obronę kluczowej agencji cyberbezpieczeństwa, NASK.
Twoje "szare ptaszki" w WhatsApp i Signal zdradzają, co robisz i gdzie jesteś
Naukowcy odkryli nowy wektor ataku na użytkowników WhatsAppa i Signala. Wykorzystując mechanizm potwierdzeń dostarczenia wiadomości, atakujący mogą śledzić aktywność ekranu, lokalizację, a nawet drenować baterię ofiary – bez jej wiedzy.
Komentarze
Ładowanie komentarzy...