Okta’s Response to React2Shell
On December 3, 2025, the maintainers of React and Next.js disclosed a critical pre-authentication remote code execution (RCE) vulnerability in React Server Components (CVE-2025-55182) with a CVSS score of 10.0.
The vulnerability impacts versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of RSC, as well as all frameworks that support React Server Components, including Next.js (CVE-2025-66478).
Okta’s Response
Okta has upgraded all production systems to fixed versions,
Okta has published actions required for application developers that rely on Auth0 or Okta SDKs to build React or Next.js applications,
While we have detected opportunistic scanning activity on non-vulnerable systems, we have not observed successful exploitation of this vulnerability against Auth0 or Okta services.
Action for Auth0 and Okta SDKs users
For actions required and developer guidance, please refer to the appropriate KnowledgeBase article: