A newly discovered security flaw in the React ecosystem — one of the most widely used technologies on the web — is prompting urgent warnings across the tech industry.
The bug — dubbed “React2Shell” — allows attackers to achieve unauthenticated remote code execution (RCE) on vulnerable servers with almost perfect reliability, putting millions of web applications and cloud workloads at immediate risk.
A ‘Perfect Ten’ Vulnerability
The vulnerability is tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), both rated CVSS 10.0, indicating maximum severity. The flaw affects the platform’s React Server Components (RSC) — a feature designed to improve performance through server-side rendering.
Unfortunately, the flaw lies in the RSC “Flight” protocol, which processes how React sends and receives data between the browser and server.
One Malicious Request Is Enough
According to cloud security company Wiz, exploiting React2Shell is alarmingly simple. Attackers need to send only a specially crafted HTTP request to the target server to trigger RCE, allowing them to run their own commands on someone else’s machine.
Researchers warn that exploiting the flaw is shockingly easy, as it requires no login, no special setup, and no interaction from the target. The attack works remotely over the internet and, according to internal tests, achieves a near-100% success rate, making it one of the most severe vulnerabilities ever found in modern web technology.
Why This Matters
React, the Meta-backed JavaScript library powering user interfaces across the internet, is embedded in an enormous share of modern applications. Wiz researchers found that:
- 6% of all websites use React
- 39% of cloud environments contain vulnerable React or Next.js installations
- 44% of all cloud environments have publicly exposed Next.js instances (regardless of the version running)
In short, a massive portion of modern web infrastructure is potentially exposed. Major cloud providers — including AWS, Cloudflare, Google Cloud, and Fastly — have rushed to deploy temporary firewall rules, but all of them stress that these are only stopgaps. The only permanent fix is to update React and affected frameworks immediately.
Who Is Vulnerable?
Vulnerable React packages include:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Affected versions: 19.0, 19.1.0, 19.1.1, and 19.2.0
Patched versions are now available: 19.0.1, 19.1.2, 19.2.1
Next.js users must also update to patched releases, including:
15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, and others in the 14.x stable line.
Other frameworks likely affected include:
- React Router (RSC preview)
- RedwoodJS
- Vite RSC plugin
- Parcel RSC plugin
- Waku
Any framework that bundles or implements React Server Components may be vulnerable.
What’s Being Done?
React developers have already pushed out patched versions with hardened validation and safer deserialization. Hosting providers — including Cloudflare, Google Cloud, AWS, and Fastly — have activated emergency Web Application Firewall rules to block known exploit attempts.
However, the warning is clear: Temporary protections are not enough. Developers must patch immediately.
Patched React versions: 19.0.1, 19.1.2, and 19.2.1
Patched Next.js versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7
Canary: 14.3.0-canary.88
What Organizations Should Do Right Now
- Update React and Next.js to the patched versions immediately.
- Check all frameworks or bundlers — like Redwood, Waku, Vite RSC, Parcel RSC — for patched releases.
- Apply WAF rules temporarily if available.
- Scan for vulnerable deployments, especially public Next.js apps.
- Review server logs for suspicious Flight payload requests.
- Isolate or restrict public access to high-risk applications until patched.
- Assume exposure when running modern React applications in production.
A Wake-Up Call For The Web
As the industry scrambles to secure affected systems, experts stress that speed is critical. With exploitation requiring almost no effort and patches now widely available, organizations that act quickly can contain the risk before attackers weaponize the flaw at scale.
The discovery of the React2Shell vulnerability underscores that even the most trusted frameworks demand constant vigilance — and in moments like this, patching remains the only dependable way to stay protected.
