Security teams globally are currently on high alert following the disclosure of a severe vulnerability in the React JavaScript library. Dubbed React2Shell (CVE-2025-55182), this Critical-rated flaw allows unauthenticated remote code execution (RCE) and is already witnessing widespread active exploitation.
What is React2Shell?
React2Shell is a flaw found in React Server Components (RSC), affecting versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. It exploits a weakness in how these versions decode payloads sent to React Function Endpoints.
The impact is catastrophic: by crafting a specific malicious HTTP request to a Server Function endpoint, an attacker can execute arbitrary code on the target server without needing any authentication. This effectively gives them full control over the compromised machine.
Active Exploitation in the Wild
Unlike many vulnerabilities that remain theoretical for weeks, React2Shell was weaponized immediately. Reports from AWS and other threat intelligence firms indicate that State-sponsored actors, particularly those with a China nexus (such as groups tracked as 'Earth Lamia' and 'Jackpot Panda'), were observed exploiting this flaw within hours of its disclosure.
"China continues to be the most prolific source of state-sponsored cyber threat activity, routinely operationalizing public exploits within days of disclosure." — AWS Threat Intelligence
With an estimated 950,000+ servers potentially running vulnerable versions of frameworks like React and Next.js, the attack surface is massive. Threat actors are using this window to establish persistence, deploy webshells, and exfiltrate data.
Affected Versions & Mitigation
If you are using React Server Components, you must verify your version immediately. The vulnerable versions are:
- React 19.0.0
- React 19.1.0
- React 19.1.1
- React 19.2.0
Immediate Action Required: Update to the latest patched version of React immediately. If you are using frameworks like Next.js that depend on React, ensure you update the framework to a release that includes the patched React version.
For large-scale deployments, edge providers like Cloudflare have rolled out WAF rules to mitigate the specific attack vectors, but relying solely on edge protection is not a substitute for patching the root vulnerability.
The "New Normal" of Exploit Speed
The speed at which React2Shell was exploited—transitioning from disclosure to nation-state weaponization in mere hours—highlights a shifting landscape in cybersecurity. The "patch tuesday" cycle is no longer sufficient; critical infrastructure requires real-time monitoring and rapid response capabilities.