React2Shell: A critical new vulnerability and defense strategies

What is React2Shell (CVE-2025-55182)?

React2Shell is a critical security vulnerability in applications built with React/Next.js. It allows attackers to send a specially crafted request to a server and gain full control of the system.

The root cause lies in the server-side data handling mechanism, which fails to perform sufficiently rigorous validation, creating an opening for malicious code to be executed. Without timely protection, the server can be infected with malware, have its data stolen, or be turned into a launchpad for further attacks.

Key characteristics that make React2Shell an exceptionally dangerous vulnerability:

• No authentication required: Attackers need no account or valid credentials. Any system exposed to the internet can become a target.
• A single specially crafted HTTP request is enough: Hackers only need to send one purpose-built request to trigger the vulnerability, with no complex multi-step attack chain required.
• Affects default configurations: Even organizations deploying React/Next.js with standard, uncustomized settings may have this vulnerability present in their systems.
• Proof-of-concept exploit code is publicly available: Following the public disclosure, exploit code appeared online almost immediately, putting it within reach of anyone with basic technical skills.
• Active exploitation confirmed in late 2025: Multiple React/Next.js systems exposed to the internet were scanned and exploited. Security research teams documented active scanning and attack campaigns, confirming that the vulnerability is being weaponized in real-world environments, not just in labs.

Why is React2Shell particularly dangerous?

React2Shell has been rated at the highest severity level on the security risk scoring scale (CVSS 10/10), reflecting the potentially catastrophic impact if exploited.

Websites and applications built with Next.js or using React's server-side rendering mechanism are at risk if they have not yet applied the latest security patch.

After a successful exploit, attackers can carry out a range of harmful actions:

• Seize control of server processes: Hackers can take over processes running on the server to execute arbitrary commands, alter configurations, or disrupt system operations.
• Install backdoors for persistent access: After gaining initial access, attackers can quietly deploy additional malware or create hidden accounts to maintain access even after the vulnerability is patched.
• Exfiltrate sensitive system data: Data such as environment variables (which often store passwords, security keys, and access tokens) can be extracted and used in subsequent attacks.
• Access cloud service credentials: On cloud-hosted systems, attackers can retrieve authentication credentials such as AWS access keys, enabling them to expand their attack across other services.
• Deploy cryptocurrency mining software: Servers can be infected with mining tools such as XMRig, causing abnormal resource consumption, degraded system performance, and unexpected infrastructure costs.
• Conscript the server into a botnet: Compromised servers can be leveraged to participate in DDoS attacks against other targets, exposing the affected organization to legal liability and reputational harm.

More concerning still, automated scanning campaigns emerged almost immediately after the exploit code went public. Numerous internet-facing React/Next.js systems were probed and targeted in bulk, demonstrating that threat actors moved to exploit this vulnerability with little to no delay.

Root cause of the vulnerability

React2Shell stems from the way the system processes data submitted to the server, specifically within the React Server Components (RSC) mechanism:

• The server does not rigorously validate incoming data: When receiving requests from users, the server fails to fully verify the structure and content of the data, allowing abnormal inputs to pass through the control layer.
• Data is processed in an unsafe manner: The system converts data from its transmitted format into an executable form (a process known as deserialization) without thorough validity checks, allowing malicious code to be disguised within the payload.
• Attacker-controlled data can influence server-side processing: Once the malicious data is accepted, it can alter how the application behaves, forcing the server to execute unintended commands.

The result is that JavaScript code can be executed with elevated privileges on the server. This is equivalent to an attacker logging in and controlling the server from the inside.

In simple terms: the system trusted and processed user-submitted data without adequate validation. Attackers exploit this to inject malicious code, causing the server to execute commands on their behalf, ultimately granting them remote control of the machine.

Platforms affected by React2Shell

Versions in the 19.x range (React Server) and 15.x, 16.x (Next.js) that have not been upgraded to the fixed releases are vulnerable. This means many systems running older versions may already be exposed to potential attack.

Beyond React and Next.js, other platforms that integrate the RSC mechanism may also be affected if they have not applied the corresponding patch, including:

• Next.js
• Vite (RSC plugin)
• Parcel (RSC plugin)
• React Router (experimental RSC support)
• RedwoodSDK
• Waku

If any of these platforms are using RSC components without having applied the security fix, they may be equally susceptible to exploitation.

What organizations should do immediately to guard against React2Shell

Given the severity of this vulnerability, organizations should act without delay. Early remediation will significantly reduce the risk of exploitation and limit potential damage if an incident occurs.

• Apply official patches from React and Next.js: Prioritize upgrading to the versions in which the vendor has addressed the vulnerability. This is the single most important step to eliminate the technical weakness from your system.
• Audit the versions deployed in production: Identify exactly which version your system is running, whether React Server Components are in use, and whether the patch has already been applied.
• Review system logs for signs of compromise: Check for suspicious HTTP requests, unusual command executions, or unauthorized access activity to detect any early indicators of potential exploitation.
• Deploy a server-side defense layer (such as a web application firewall): Use security solutions to filter and block malicious requests before they reach the server, reducing attack exposure even before a patch can be applied.

That said, a concerning reality persists: the pace at which vulnerabilities are exploited typically outstrips the pace at which organizations can patch them. Exploit code can appear within hours or days of a public disclosure, while the process of auditing, testing, and updating production systems often takes considerably longer. Zero-day vulnerabilities are also on the rise and can be weaponized before any official patch is available.

For this reason, relying solely on software updates is not sufficient. Organizations must deploy additional proactive defense layers to minimize risk.

VNIS: Proactive defense against React2Shell

VNIS (Vietnam Network Intelligence Security) is a WAAP (Web and API Application Protection) platform developed by VNETWORK with AI at its core. The AI in VNIS goes beyond analysis: it actively participates in attack forecasting, anomaly behavior detection, traffic analysis, and automatic defense updates when new vulnerabilities emerge.

As soon as the React2Shell vulnerability was disclosed in late 2025, VNIS rapidly updated its defense mechanisms to mitigate risk for customers:

• Defense rules updated immediately upon vulnerability disclosure: The system automatically adds rules to identify and block attack patterns that exploit RCE.
• Exploit requests blocked before reaching the server: Malicious requests are filtered and neutralized at the protection layer, ensuring the origin server remains unaffected.
• Real-time anomaly detection: AI continuously analyzes traffic to identify exploitation indicators, even in the absence of known attack signatures.
• Protection for web, app, and API without service disruption: The system operates reliably without impacting end-user experience.

Notably, VNIS's two-layer protection model is designed to deliver both security and performance optimization:

• Layer 1: AI Smart Load Balancing and Multi-CDN: Intelligent AI-powered traffic distribution, edge-level filtering of abnormal traffic, DDoS protection at Layer 3/4, and reduction of load on the origin server. The infrastructure can handle up to 2,600 Tbps across more than 2,300 PoPs in 146 countries.
• Layer 2: AI-integrated Cloud WAAP: Integrates a WAF with over 2,400 rules covering common risks such as OWASP Top 10, detection of RCE exploits like React2Shell, blocking of malicious bots, defense against brute force attacks, and real-time behavioral monitoring.

VNIS not only strengthens security but also optimizes system performance: the service delivers 99.99% uptime, operates under a clearly defined SLA, is monitored by a SOC 24/7/365, and allows centralized management of CDN, WAF, and DNS from a single platform. The system is continuously updated to respond to newly discovered vulnerabilities.

In an era where zero-day attacks are escalating and AI is being actively weaponized by threat actors, AI-powered proactive defense is no longer optional. It is a business-critical capability.

Do not wait for an incident to happen. Deploy VNIS to protect your Web, App, and API against zero-day vulnerabilities like React2Shell, where AI is built to defend your business.

FAQ: Frequently asked questions about React2Shell

1. What is React2Shell?

React2Shell is a remote code execution (RCE) vulnerability in React Server Components. Attackers can exploit it using a single specially crafted HTTP request without any authentication, enabling them to take control of the server and deploy malicious code.

2. Does React2Shell affect Next.js?

Yes. Applications using Next.js with React Server Components are at risk if the security patch has not been applied. In particular, the App Router in default production configurations may be exploitable from the internet.

3. Why is React2Shell more dangerous than many other vulnerabilities?

Because it requires no authentication, has a high exploitation reliability, affects default configurations, and has publicly available exploit code. This enables attackers to automate attacks at scale within a short timeframe.

4. Is applying the patch alone sufficient for protection?

Patching is mandatory but not enough on its own. During the window between vulnerability disclosure and complete patching, systems remain exposed. Organizations need a front-line protection layer such as an AI-integrated WAF to block attacks in real time.

5. How does VNIS protect against React2Shell?

VNIS updates its defense rules immediately upon vulnerability discovery, uses AI to analyze behavioral and traffic anomalies, and blocks RCE exploit requests before they reach the origin server. The Cloud WAAP and Multi-CDN infrastructure ensures attacks are neutralized upstream, maintaining stable operations.