React2Shell: A New Threat for React Servers

December 2025 — A critical new vulnerability called React2Shell is shaking up the web development and cybersecurity communities. Within hours of its disclosure, attackers were already scanning for and exploiting vulnerable servers worldwide.

What’s React2Shell?

React2Shell is a flaw in React’s Server Components that lets someone take control of a server just by sending a specially crafted request. There’s no need for a password or login — a single request can execute code on the server. It affects several versions of React’s server-side packages, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.

Who Could Be Impacted?

  • Applications using React Server Components
  • Many Next.js deployments, especially default setups or older versions
  • Public-facing servers that rely on vulnerable React packages

Because React is so widely used, the number of potentially affected applications is huge.

Attacks Are Happening Now

React2Shell is already being exploited. Security teams have seen automated scans, malware deployment, and even activity by state-linked groups. Malware like EtherRAT has been found on some compromised servers. The attacks are global — no region or industry is safe if servers aren’t patched.

What You Can Do

  • Update React Server Components and any dependent frameworks immediately
  • Watch server logs for unusual requests or unexpected processes
  • Consider deploying a temporary firewall or WAF while patching
  • Audit connected systems like CI/CD pipelines or third-party services for vulnerabilities

Why You Should Care

This isn’t just another bug. React2Shell shows that modern web frameworks can be direct targets for attackers. Ignoring updates could lead to full server compromise, data loss, or persistent malware infections. Staying on top of patches and monitoring your servers is essential.

References & Sources:
NetSPI — “React Server Components Critical Vulnerability (CVE-2025‑55182)” outlines the flaw as unauthenticated remote‑code‑execution via unsafe deserialization. netspi

SOCRadar Labs — explains the technical root cause (unsafe deserialization in the RSC “Flight” protocol) and confirms the vulnerability affects the core React Server Components implementation. socradar