The cybersecurity industry is on high alert following the disclosure of a critical React vulnerability that can be exploited by a remote, unauthenticated attacker for remote code execution.
React (React.js) is an open source JavaScript library designed for creating application user interfaces. Maintained by Meta and a large community of companies and individual developers from around the world, React is widely used: it reportedly powers millions of websites, it’s used by popular online services (Airbnb, Instagram, Netflix), and its core NPM package currently has 55 million weekly downloads.
In an advisory published on Wednesday, React developers informed users about the availability of patches for CVE-2025-55182, an unauthenticated remote code execution vulnerability that has been assigned a CVSS score of 10.
The security hole affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0, and it has been patched with the release of versions 19.0.1, 19.1.2, and 19.2.1.
Dubbed React2Shell by the cybersecurity community, the issue was reported to React developers on November 29 by Lachlan Davidson.
The vulnerability is related to “how React decodes payloads sent to React Server Function endpoints”, and developers have been told that even if their application does not implement any React Server Function endpoints, it could still be vulnerable if React Server Components (RSC) are supported.
At the time of writing there do not appear to be any reports of in-the-wild exploitation. However, less than 24 hours after disclosure, at least one proof-of-concept (PoC) exploit has been developed and the vulnerability has been added to scanners.
It’s worth pointing out that the React-powered web development framework Next.js is also affected by CVE-2025-55182. Vercel, the developer of Next.js, has attempted to assign its own CVE identifier, CVE-2025-66478, but it has been rejected as a duplicate of CVE-2025-55182.
Frameworks such as React Router RSC, Vite RSC plugin, Parcel RSC plugin, RedwoodSDK, and Waku may also be vulnerable, according to cloud security firm Wiz.
Wiz said the vulnerability impacts default configurations, and it can be easily and reliably exploited using specially crafted HTTP requests.
The security firm reported that, based on its data, 39% of cloud environments contain vulnerable React instances.
[ Read: Critical Flaw in React Native NPM Package Exposes Developers to Attacks ]
Many members of the cybersecurity industry appear to believe that in-the-wild exploitation of React2Shell is imminent.
Justin Moore, senior manager of threat intel research at Palo Alto Networks’ Unit 42, described the vulnerability as a “master key exploit, succeeding not by crashing the system, but by abusing its trust in incoming data structures”.
“The system executes the malicious payload with the same reliability as legitimate code because it operates exactly as intended, but on malicious input,” Moore said in an emailed statement.
“Given that Unit 42 has identified over 968,000 servers running common modern frameworks like React and Next.js, and that nearly 40% of cloud environments are exposed, the stability of this flaw means it’s no longer a question of if attackers will use it, but when it will be widely exploited,” he added.
On the other hand, Kevin Beaumont, a reputable security researcher, sought to “derail the hype train” on Wednesday, noting that the vulnerability is limited to the more recent version 19, and only impacts applications that use React Server, which he described as a new feature.
Companies react to React2Shell
Google Cloud has rolled out web application firewall (WAF) rules to detect and block CVE-2025-55182 exploitation attempts.
AWS has also released new WAF rules to block attacks, with customers using managed services informed that they are not impacted and no action is required.
Cloudflare has also deployed protections across its network that automatically protect all customers as long as their React application traffic is proxied through the Cloudflare WAF.
Web development company Netlify has rolled out the React patches to prevent exploitation against customers’ websites.
F5 is investigating potential impact on its products, but at the time of writing it has not identified any affected products.
The list of security companies that help organizations detect vulnerable instances and protect them against potential exploitation attempts includes Akamai, Orca Security, Tenable, Aikido, and Miggo.
UPDATE: AWS has seen Chinese hackers exploiting React2Shell.
Related: CISA Warns of ScadaBR Vulnerability After Hacktivist ICS Attack
Related: GlassWorm Malware Returns to Open VSX, Emerges on GitHub
