On November 29, 2025, a critical vulnerability was disclosed in React Server Components — CVE-2025-55182, commonly known as React2Shell. With a CVSS score of 10.0 (the maximum), it allows unauthenticated remote code execution via crafted multipart POST requests targeting the Flight payload deserialization in Server Actions. A companion advisory, CVE-2025-66478, covers Next.js specifically since it bundles React internally.
This post details our audit results: Boottify is not affected. Here's what we found and what we did to go even further.
WHAT IS REACT2SHELL?
React2Shell exploits a flaw in how React Server Components deserialize incoming "Flight" payloads from client-to-server communication (Server Actions). An attacker can craft a malicious multipart POST request that, when deserialized by the server, executes arbitrary system commands — without any authentication.
The affected versions are:
| Package | Vulnerable Range | Fixed In |
|---|---|---|
| React | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.2.1+ |
| Next.js | 16.0.0 – 16.0.6 | 16.0.7+ |
| react-server-dom-webpack | 19.0.0 – 19.2.0 | 19.2.1+ |
OUR STATUS: PATCHED + NOT USING THE ATTACK VECTOR
Boottify runs Next.js 16.1.4 with React 19.2.3 — both well above the patched versions. But we didn't stop at version checks.
We performed a full codebase scan and confirmed: zero "use server" directives exist anywhere in the codebase. Boottify uses explicit API routes with fetch() for all data mutations — no Server Actions at all. This means the primary attack vector (crafted multipart POST to Server Actions) simply has no endpoint to target.
ACTIVE SCANNING RESULTS
We ran multiple dedicated vulnerability scanners against both boottify.com and control.boottify.com:
- react2shell-evolved (GuiiMoraes enhanced scanner) — safe-check mode: NOT VULNERABLE
- react2shell-scanner (Assetnote original) — safe-check mode: NOT VULNERABLE
- NextjsServerActionAnalyzer (Adversis Burp extension logic) — manual review confirmed no Server Action hashes in production JS bundles
All scanners confirmed that the platform does not expose Server Action endpoints.
ADDITIONAL HARDENING MEASURES
While confirming we were not vulnerable, we took the opportunity to strengthen several related security controls:
Content Security Policy Hardened
Removed unsafe-eval from the CSP script-src directive and added frame-ancestors 'none', base-uri 'self', and form-action 'self' restrictions. This reduces the attack surface for any future XSS-style vulnerabilities.
File Upload Validation Strengthened
All file upload endpoints (avatar, site logos, blog media) now perform magic number validation — checking the first bytes of uploaded files against known file signatures to confirm the actual file type matches the declared MIME type. This prevents MIME-type spoofing attacks where a malicious file is disguised with a legitimate extension.
Rate Limiting Extended
Added dedicated rate limit tiers for authenticated mutations (60 requests/minute) and file uploads (10 uploads/minute) across all admin and client API routes.
ACTION REQUIRED
None. No action is required from Boottify users. The platform was already running patched versions, does not use the vulnerable feature (Server Actions), and has been verified by multiple scanning tools.
FOR DEVELOPERS RUNNING THEIR OWN APPS
If you run React 19 or Next.js 16 applications, please verify your versions immediately:
npm ls react nextEnsure you are running:
- React 19.2.1 or later
- Next.js 16.0.7 or later (if on the 16.x line)
Even if you are on patched versions, consider auditing your use of "use server" directives and ensuring your Server Actions validate input properly.
