All Starter Kits Upgraded to Next.js 16.0.7 - React2Shell Security Patch

A critical vulnerability called React2Shell (CVE-2025-55182 and CVE-2025-66478) was disclosed this week. It affects React Server Components and Next.js applications, allowing attackers to achieve remote code execution without authentication.

We've upgraded all Achromatic starter kits to Next.js 16.0.7.

What is React2Shell?

React2Shell affects:

• React Server Components (RSC)
• React Server Functions
• Next.js applications using the App Router

Attackers can send specially crafted requests to vulnerable servers and gain remote code execution. Security researchers reported near 100% success rates in exploitation attempts, and active exploitation has already been observed in the wild.

Why it matters

• No authentication required - Attackers can exploit this without logging in
• Default configurations affected - Most standard setups are vulnerable
• Active exploitation - Security firms observed opportunistic attacks
• Remote code execution - Attackers can gain full control of your web server

What we've done

All Achromatic starter kits have been updated to Next.js 16.0.7, which includes the security patches for both CVE-2025-55182 and CVE-2025-66478:

What you should do

New projects

Simply clone any of our starter kits. They're already running the patched version of Next.js.

Existing projects

Update your dependencies:

pnpm install next@latest react@latest react-dom@latest

Or use the official codemod:

npx @next/codemod@canary upgrade latest

Verify your Next.js version is 16.0.7 or higher after the upgrade.

Resources

• Next.js Security Advisory
• JFrog: React2Shell Detection and Mitigation Guide
• Dynatrace: CVE-2025-55182 Analysis

Update (December 12, 2025)

Two additional vulnerabilities were discovered. Read our follow-up post: React DoS and Source Code Exposure Vulnerabilities.

Starting a new project? Our starter kits are always kept up-to-date with the latest security patches. Get lifetime access.

Stay secure!