According to Infosecurity Magazine, a critical remote code execution vulnerability, officially tracked as CVE-2025-55182 and dubbed React2Shell, has been found in React.js. Security researcher Lachlan Davidson disclosed it to Meta on November 29, 2025, and it carries the maximum CVSS severity score of 10.0. The flaw affects server-side React and, separately, Next.js issued its own advisory for CVE-2025-66478, though the NVD rejected it as a duplicate. Researchers at Tenable and JFrog warn exploitation is nearly 100% successful in default configurations and requires no authentication. As of December 5, 2026, a working proof-of-concept was published by a hacker named maple3142, and cybersecurity firm OX Security confirmed active exploitation is now happening. The vulnerability impacts React servers using React Server Function endpoints and Next.js apps in their default setup.
Why this is so bad
Here’s the thing: this isn’t some obscure configuration issue. It hits the core deserialization logic of React itself. That means it’s not a problem with some weird plugin you installed; it’s in the foundation. Ari Eitan from Tenable put it bluntly—exploitation is “incredibly simple.” A single malicious HTTP request can give an attacker full control of your server. And with a near-100% success rate in default setups? That’s basically a skeleton key for a huge portion of the modern web. The comparison to Log4Shell isn’t just for dramatic effect. It’s about ubiquity and ease. When frameworks this widespread have a flaw this severe, the entire internet’s attack surface just got a lot bigger.
The active exploitation problem
Now, it’s game on. The publication of a verified PoC on December 5th turned this from a theoretical threat into a live fire exercise. Security teams are now in a race against attackers who have a working recipe. And to make matters worse, JFrog is warning about fake PoCs on GitHub laced with malicious code. So even developers trying to responsibly test their systems could walk into another trap. It’s a mess. The timeline here is brutal—disclosure, patch development, and then *boom*, public exploit code before a lot of teams have even finished their morning coffee. This is when the real damage happens.
What you need to do
First, don’t panic, but do move fast. The fix is to upgrade your vulnerable packages. For React, that means updating the relevant server packages like react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack. You can check the official CVE record for details. For Next.js, review their security advisory and the Tenable analysis. If you’re not deeply reliant on the App Router, one mitigation is to migrate back to the Pages Router using their migration guide. But honestly, patching is the only real solution. Scan your dependencies, apply the updates, and assume someone is already probing your endpoints.
The broader context
This is another brutal reminder about supply chain security. Your app is only as strong as its weakest foundational dependency. React and Next.js are so deeply embedded in our infrastructure that a flaw like this sends shockwaves far beyond typical software bugs. It puts every company using these frameworks—which is a massive number—on immediate high alert. I think we’ll see a renewed, frantic push for more rigorous security audits in these core open-source projects. The researcher, Lachlan Davidson, and the teams at JFrog (who have a detailed analysis) deserve credit for sounding the alarm. But the real work is just starting for thousands of devops and security engineers tonight. Buckle up.
