Millions of Next.js Sites Exposed: “React2Shell” Flaw Sparks Global Web Security Crisis

When news broke of a devastating vulnerability lurking deep within the internet’s favorite JavaScript frameworks, security teams snapped into action. The flaw - codenamed “React2Shell” - has unleashed a digital firestorm, jeopardizing millions of Next.js-powered sites and their users. As threat actors mobilize and proof-of-concept exploits multiply, the clock is ticking for organizations everywhere.

Critical Flaw, Massive Exposure

At the heart of this crisis is CVE-2025-55182, a vulnerability affecting React Server Components (RSC) - a technology widely adopted by modern web frameworks like Next.js. The flaw scores a perfect 10 on the CVSS scale, reflecting both its severity and the ease with which it can be exploited.

Security researchers at Censys have mapped the scale: more than 2.15 million services are running potentially vulnerable versions. While not every instance is confirmed exploitable, the sheer number amplifies the urgency. Popular frameworks - Next.js, Waku, React Router RSC, Vite RSC, Parcel RSC, and RedwoodSDK - are all in the blast radius.

How the Attack Works

The technical core of “React2Shell” is a classic but devastating mistake: insecure deserialization of JSON payloads by server-side React packages. Specifically, the packages react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack fail to properly validate incoming data. This allows a remote attacker - with no need for authentication - to send a specially crafted HTTP request that tricks the server into executing arbitrary JavaScript code.

The consequences? Unfettered access to the server, paving the way for web shells, backdoors, and long-term compromise. Even applications not explicitly using Server Functions may be at risk if RSC is enabled server-side. Purely client-side React apps remain safe.

Exploits in the Wild

Within a day of disclosure, AWS observed threat actors - linked to groups like Earth Lamia and Jackpot Panda - actively exploiting the flaw. Attackers are using public proof-of-concept code (some of it booby-trapped) to hijack vulnerable servers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm, adding the bug to its emergency patching list.

React and Next.js maintainers have moved quickly, releasing patched versions for all supported branches. Major cloud providers like Cloudflare and AWS have rolled out temporary web application firewall (WAF) rules, but researchers warn these are already being bypassed in some cases.

What Should Organizations Do?

Experts urge organizations to immediately audit their internet-facing assets for RSC usage, verify package versions, and upgrade to the latest patched releases. Temporary WAF protections are no substitute for real fixes. With active exploitation and millions of sites exposed, the risk is far too great to delay.