A Critical Code Flaw: What You Should Know About the React2Shell Crisis

A critical security vulnerability known as React2Shell is now being weaponized by attackers, putting thousands of websites and applications built on React, Next.js and related frameworks at severe risk. The flaw, tracked as CVE 2025 55182, enables unauthenticated remote code execution, giving attackers the ability to run arbitrary commands on targeted servers without needing credentials.

React2Shell stems from an unsafe deserialization flaw inside React Server Components. When vulnerable packages receive a maliciously crafted request, the server may execute injected JavaScript code. The bug affects widely used libraries including react server dom webpack, react server dom parcel and react server dom turbopack in multiple production versions.

Because the vulnerability sits deep in core components, even apps running default configurations are exposed. The issue also extends far beyond React itself, affecting downstream frameworks and bundlers such as Next.js, Vite, Parcel and Waku, significantly expanding the attack surface.

A public proof of concept exploit surfaced less than two days after disclosure, triggering an immediate wave of real world attacks. Threat intelligence teams report that state aligned groups, including known China based operators, are targeting exposed servers to deploy malware, steal credentials, and establish persistent access. By early December, monitoring groups had identified more than 77,000 vulnerable internet facing systems, with at least 30 confirmed breaches linked directly to React2Shell.

With a maximum CVSS score of 10.0, React maintainers have urged all developers and companies to update immediately. React and its ecosystem power a vast share of modern internet platforms, from small business websites to enterprise scale services. The ability for attackers to compromise servers without authentication makes React2Shell far more dangerous than typical security bugs.