19/12/2025
Software Development
Development Approaches
Web Development
by Taryn Plumb
React2Shell is the Log4j moment for front end development
news
Dec 18, 2025
Attackers are exploiting a Flight protocol validation failure that allows them to execute arbitrary code without authentication.
Hacker arriving in hidden underground shelter, prepared to launch DDoS attack on websites. Cybercriminal in apartment starting work on script that can crash businesses servers, camera B
Credit: DC Studio / Shutterstock
Attackers have upped the ante in their exploits of a recently-disclosed maximum severity vulnerability in React Server Components (RSC), Next.js, and related frameworks.
Financially-motivated attackers have found a way to use the flaw, dubbed React2Shell (CVE-2025-55182), to execute arbitrary code on vulnerable servers through a single malicious HTTP request. This allows them to quickly and easily gain access to a corporate network and deploy ransomware, according to researchers at cybersecurity company S-RM and the Microsoft Defender Security Research Team.
Attackers initially exploited the vulnerability to introduce backdoor malware and crypto miners; this new method represents an escalation, and experts say it reveals a fundamental security flaw in front end development.
âFor too long, weâve treated front end development as low end, low risk work,â said David Shipley of Beauceron Security. âThis is to front end of applications what Log4j was to the back end, a massive opportunity for attackers.â
How attackers easily get âhighly privilegedâ access
React is widely used in enterprise environments, with Microsoft researchers identifying âtens of thousands of distinct devices across several thousand organizationsâ running React or React-based applications.
React2Shell is a pre-authentication remote code ex*****on (RCE) vulnerability affecting React Server Components (RSC), the open-source framework Next.js, and other related frameworks. It has been rated a 10 on the Common Vulnerability Scoring System (CVSS) because it is easy to exploit, puts numerous exposed systems at risk, and is highly susceptible to automated attacks since it doesnât require authentication to execute.
The vulnerability specifically impacts the Flight protocol, a core feature in the React development library and Next.js. RSC contains packages, frameworks, and bundlers that allow React apps to run parts of their logic on the server rather than in the browser.
Flight allows server and client to communicate; when the client requests data, the server receives and parses a payload, executes server-side logic, and returns a human-readable software package.
With the React2Shell vulnerability, impacted RSCs fail to validate incoming payloads, allowing threat actors to inject malicious components that React identifies as legitimate. Attackers can send HTTP requests to trick the server into running compromised code, potentially giving them âhighly privilegedâ access to unpatched systems, according to the S-RM researchers.
ăviralăˇfypăˇăviralăˇ
