React2Shell: Understanding the New React Security Threat and How to Respond
8th Dec 2025
Speak to an expert
Speak to an expert
8th Dec 2025
A new security vulnerability – React2Shell (CVE-2025-55182) – has recently come to light. It affects certain configurations of React, one of the most widely used technologies in modern web development. While headline vulnerabilities can often feel distant or overly technical, this one deserves attention because it targets the server-side of applications, where the most sensitive operations occur.
Put simply, React2Shell could, in specific circumstances, allow an attacker to run commands directly on the server powering your systems. That can lead to data theft, system compromise and further movement across your network. For organisations handling personal, operational or financial data, this is a scenario that needs rapid assessment.
React is frequently used solely in the browser to deliver interactive user experiences. In those cases, React2Shell does not apply. However, as organisations increasingly adopt server-side rendering or newer features such as React Server Components, React is playing a more central role in infrastructure.
That shift has benefits – smoother performance, better SEO, enhanced user experience – but it also introduces new risk surfaces. React2Shell is one of those, emerging from the complexity of server behaviour.
The vulnerability relates to specific React Server Component packages, including:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopackThese packages are sometimes used directly, but are also frequently included inside authentication systems, design frameworks or build tools. This means you may not immediately realise you are using them.
In addition, several popular frameworks incorporate these components as part of their server-side capabilities:
If any part of your application uses React on the server – even just for login pages or specific content sections – you may be exposed without knowing it.
Today’s technology stacks are layered, modular and often inherited from previous development decisions. It is common for organisations to be uncertain whether server-side React features have been enabled:
React2Shell is not a theoretical flaw – real-world exploit code exists. The sooner you know your status, the sooner you can make informed decisions.
Assure Technical is helping organisations gain clarity quickly. We are offering a free, expert-led scan that identifies whether your environment uses the affected components.
This service is:
You will receive:
There is no obligation beyond confirming your current position.
If your systems are unaffected, you have instant peace of mind.
If any exposure is found, we will help you understand:
Our objective is to ensure you remain safe while enabling your teams to continue innovating with modern technologies.
Security threats will continue to evolve as the web ecosystem advances. React2Shell is a reminder that when capabilities shift from the browser into the server environment, the stakes rise as well. With the right expertise, these risks can be addressed swiftly and confidently.
If you would like to find out more, please get in touch. Our award-winning team are here to help you become more cyber secure.
Get in touch with our expert consultants for straight-talking, jargon-free technical security advice.
