React and Next.js Vulnerability – Analysis and Impact on GoFAST
-
Vulnerability
On December 3, 2025, a critical vulnerability (CVSS score 10/10) was disclosed, affecting several components of the React ecosystem, including Next.js, React Router, and other React-based frameworks.
This flaw, named React2Shell, is referenced under the identifiers CVE-2025-55182 and CVE-2025-66478.
Affected versions:
- React: 19.0, 19.1, and 19.2
- Next.js: versions 15 to 16
The vulnerability allows an unauthenticated attacker to send specially crafted data that can be interpreted as code on the server.
This may lead to arbitrary server-side command execution.Impact on GoFAST
GoFAST does not directly use React or Next.js in its architecture.
Upon disclosure of the vulnerability, our team conducted a thorough analysis of the impact on interconnected components such as Element and Jitsi, which integrate some React-related dependencies. This analysis confirmed that none of these dependencies are affected.
This information is provided for reference purposes.
We continue to actively monitor the publishers and the open-source ecosystem to quickly detect any potential impact and ensure GoFAST's continued security.