Hunting Down The React2Shell Vulnerability Across Enterprise Codebases (Part 1)

What is CVE-2025-55182?

A critical security vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components was reported by Lachlan Davidson on November 29th, 2025.

This severe flaw allows for unauthenticated remote code execution. It exploits how React decodes payloads sent to React Server Function endpoints.

Affected Versions and Scope:

• Any application supporting React Server Components is potentially vulnerable, even if it does not explicitly use React Server Function endpoints.
• The vulnerability affects the following packages in versions 19.0, 19.1.0, 19.1.1, and 19.2.0: react-server-dom-webpack react-server-dom-parcelreact-server-dom-turbopack

Find everywhere React Server Components are used across all your code

To ensure comprehensive coverage, it is critical to check not only for direct usage of the vulnerable packages, but also for dependent frameworks and libraries that incorporate them.

Run these queries on Sourcegraph to quickly identify which projects directly or indirectly depend on vulnerable versions of React Server Components. The following links display results on Sourcegraph’s public code search across 1.1 million open source repositories.

Direct dependencies that have vulnerable versions of React Server Components:

• Next.js
• React Router
• react-server-dom-(webpack|parcel|turbopack)

Note: Searching strictly for exact version numbers can miss dependencies that appear to be upgradable but are pinned to vulnerable versions in yarn.lock or package-lock.json. We target ^ and ~ prefixes to catch repositories that haven't explicitly closed the door on the vulnerability.

Search across your organization's private code

Code Search

You can utilize either our CLI or our web app. We've linked to our public code search above; feel free to modify those URLs or use the following syntax:

react-server-dom (webpack, parcel, and turbopack)

context:global file:package.json "react-server-dom-(webpack|parcel|turbopack)":\s*"[~^]?(19\.0(\.0)?|19\.1\.[01]|19\.2\.0)" patterntype:regexp*

‍

Next.js

context:global file:package.json "next":\s*"[~^]?(15\.0\.[0-4]|15\.1\.[0-8]|15\.2\.[0-5]|15\.3\.[0-5]|15\.4\.[0-7]|15\.5\.[0-6]|16\.0\.[0-6])" patterntype:regexp*

‍

React Router

context:global file:package.json ("react-router" OR "@remix-run/router") AND "react-server-dom-(webpack|parcel|turbopack)":\s*"[~^]?(19\.0(\.0)?|19\.1\.[01]|19\.2\.0)" patterntype:regexp*

‍

Using the Sourcegraph CLI to search for the CVE-2025-55182 vulnerability.

Deep Search

‍

Deep Search is an agentic code search tool designed to understand and execute complex natural language queries. It conducts exhaustive searches to deliver comprehensive answers and facilitates more in-depth investigations through follow-up questions. For example, you can use natural language to search for vulnerabilities, such as CVE-2025-55182.

The vulnerability, identified as CVE-2025-55182, affects any application that supports React Server Components. ‍The affected package versions are 19.0, 19.1.0, 19.1.1, and 19.2.0. Please check all github.com/sourcegraph/*  repositories for use of these vulnerable versions.*

Executing the prompt with Deep Search

Stay tuned for Part 2, which covers fixing and tracking your vulnerable code.

‍

Getting started with Sourcegraph

Schedule a conversation to see how Sourcegraph can help you and your team find code, make large-scale changes, and track insights across codebases of any scale and with any number of code hosts.

‍

‍

Special thanks to Tino Wening, Stephanie Jarmak, and Dan Adler for their valuable feedback on this post.