A critical vulnerability dubbed “React2Shell” has just dropped, and if you’re running anything with React Server Components, you need to patch immediately. This is being compared to Log4Shell for good reason—it’s a CVSS 10.0, unauthenticated RCE that affects default configurations.
What Is React2Shell?
React2Shell (CVE-2025-55182) is an unsafe deserialization vulnerability in React Server Components. An unauthenticated, remote attacker can exploit this by sending a specially crafted payload to a vulnerable React Server Function endpoint, resulting in remote code execution on the server. Tenable
Leave a Reply