React2Shell: Critical RCE Vulnerability Rocks React Ecosystem, Millions of Servers at Risk

The JavaScript development community is in turmoil following the disclosure of a critical 10.0 severity vulnerability, CVE-2025-55182, affecting the ReactJS framework. Specifically targeting the server components’ Flight Protocol implementation, this exploit, now dubbed “React 2 Shell,” enables attackers to achieve shell access on vulnerable servers from a simple HTTP request without any authentication or exploiting obscure edge cases. The widespread adoption of React Server Components across millions of modern React applications and frameworks like Next.js amplifies the threat, drawing comparisons to the devastating Log4Shell vulnerability of 2021. The React Flight Protocol, a core mechanism for serializing server-built components for client-side rendering, has been identified as the point of failure.

Investigations reveal the vulnerability stems from a classic deserialization flaw: untrusted input from malicious Flight payloads is processed on the server, leading to the creation of anomalous object graphs. This allows attackers to manipulate the runtime environment, indirectly call dangerous APIs, or execute arbitrary code on the server. Within hours of public disclosure, security firms reported active exploitation attempts, with observations of attack traffic linked to Chinese hacking groups. With an estimated 2 million vulnerable servers globally, the urgency for developers to update affected React server component packages is paramount. Immediate remediation is crucial to prevent unauthorized access, data breaches, and the deployment of cryptominers or other malicious payloads on compromised systems.