You think your React-based app is secure just because it’s running on modern frameworks like React Server Components or Next.js? Think again. The so-called React2Shell bug, officially CVE-2025-55182, has burst onto the scene with a nasty trick: it lets hackers run arbitrary code on your server without even needing valid credentials. That’s right—a single malicious HTTP request can hijack your machine. And no one is safe; even Microsoft reports hundreds of compromised machines across a variety of organizations.
How Did We Get Here?
This vulnerability isn’t some obscure corner case. It stems from unsafe deserialization in React’s "Flight" protocol, the mechanism coordinating data between client and server. This unsafe deserialization allows an attacker to sneak in malicious payloads—payloads that run unchecked and uncontrolled, executing commands on the server. React versions 19.0.0 through 19.2.0 are all vulnerable, along with any other frameworks relying on the Flight protocol, a notable example being Next.js. Given how hot React and Next.js are in web development, the exposed attack surface is nothing short of massive.
Attackers Have Been Busy
Once this vulnerability became public, hacking groups—ranging from government-backed actors to cybercriminals chasing quick profit—rushed to exploit it. Microsoft’s own threat intelligence shows hundreds of servers already breached. What are these attackers doing once inside? It’s not just about planting malware and calling it a day:
- Arbitrary command execution: Hackers are running arbitrary commands to manipulate and control compromised systems.
- Malware infections: They’re dropping remote access trojans like VShell and EtherRAT and cryptominers such as XMRig to mine cryptocurrency on your dime.
- Credential extraction: Cloud credentials for Azure, AWS, and Google Cloud are being siphoned off, widening the playground for attackers with lateral moves.
- Establishing persistence: This includes adding malicious users, tweaking key files like authorized_keys, and even enabling root logins—ensuring they stick around unnoticed.
If you think this sounds like a typical hack, you’re not wrong—but it’s the speed and scale that make this alarming.
Massive Exposure: Can You Afford To Ignore It?
According to ShadowServer Foundation, there were over 165,000 IP addresses and 644,000 domains vulnerable as of December 2025. That’s a colossal attack surface ripe for exploitation. Developers chasing the latest React features without checking security details might have practically handed over their servers on a silver platter.
Your Checklist to Stop the Bleeding
Patching is a given, but let’s be real—you probably haven’t updated everything yet. The quick fix is upgrading React Server Components to patched versions 19.0.1, 19.1.2, or 19.2.1. But don’t stop there:
- Web Application Firewalls (WAF): Set these up to scrutinize and reject suspicious HTTP requests aiming at React flight endpoints.
- Security audits: Stop pretending audits are optional and regularly review your component setups for weak spots.
- Activity monitoring: Watch your servers for strange behavior that might hint at active exploitation before it spirals out of control.
Ignoring this is like leaving the front door wide open while hoping no one walks in.
Once More Unto The Breach
React2Shell reminds you that even the latest shiny frameworks come with hidden dangers. The urge to move fast has left security often in the backseat, and we’re all paying the price. If you’re responsible for any React or Next.js deployments, it’s high time you face this threat head-on. Patch, secure, and monitor—or brace for the consequences. The attackers certainly aren’t waiting around.
