Joy, React2Shell Is a 10/10 RCE Vulnerability Found On Over A Third Of Cloud Environments
Patch Even If You Haven’t Enabled React Server Components
React2Shell is a new vulnerability which has just been spotted and around 40% of all Cloud environments and 6% of websites are vulnerable to it. It leverages a flaw in React Server Components and even if your app doesn’t use those components, simply being compatible with them is enough to make you vulnerable. It’s a perfect 10 because all it takes is a single HTTP request to trigger it, with a “near-100% reliability” in a successful exploit of the flaw. In this case exploitation means code execution, the researchers haven’t revealed how large the code payload that React2Shell will be able to trigger as not enough systems have been patched.
This isn’t just small private Cloud environments that are vulnerable, “Meta’s Facebook and Instagram, Netflix, Airbnb, Shopify, Hello Fresh, Walmart, and Asana rely on it” in addition to hoards of developer environments. You can check your installed version against the list at Bleeping Computer to ensure you get patched, and hope that the large companies are able to patch quickly without breaking things.
The security issue stems from insecure deserialization. It received a severity score of 10/10 and has been assigned the identifiers CVE-2025-55182 for React and CVE-2025-66478 (CVE rejected in the National Vulnerability Database) for Next.js.
More Tech News From Around The Web
- Microsoft 365 license check bug blocks desktop app downloads @ Bleeping Computer
- UEFI On ARM? More Likely Than You Think @ Hackaday
- ‘End-To-End Encrypted’ Smart Toilet Camera Is Not Actually End-To-End Encrypted @ Slashdot
- The OnePlus 15 is finally up for preorder after delay imposed by government shutdown @ Ars Technica
- Subaru Owners Are Ticked About In-Car Pop-Up Ads For SiriusXM @ Slashdot
- The NPU in your phone keeps improving—why isn’t that making AI better? @ Ars Technica
- Linux 6.18 arrives as the year’s final drop and likely next LTS @ The Register
