React’s Critical RCE Flaw Is Now Being Exploited in the Wild – Here’s What You Need to Know
A critical remote code execution vulnerability in React Server Components, now being called React2Shell, is under active exploitation just hours after public disclosure. Attackers are already scanning for and compromising vulnerable apps, making this one of the fastest-moving web threats in recent memory.
The flaw, tracked as CVE-2025-55182, is a server-side vulnerability in React Server Components that allows unauthenticated remote code execution with a CVSS score of 10.0 – the highest possible severity. It affects applications using React Server Components in certain configurations, and patches have been released by the React team to address the issue. Major cloud providers and security firms have observed multiple threat actors, including China-linked groups, actively scanning for and exploiting this flaw in production environments.
If you’re running a React app that uses Server Components, this is not a theoretical risk – it’s a live exploit. An attacker can potentially run arbitrary code on your server, steal data, pivot to internal systems, or turn your app into a launchpad for further attacks. If you haven’t already, you need to patch immediately, audit any exposed React Server Component endpoints, and treat any unpatched instance as compromised until proven otherwise.
Bottom line: React2Shell is the kind of “patch now or pay later” vulnerability that can burn you in a single request. If you’re using React Server Components, stop what you’re doing, update, and verify.
