React2Shell: What You Need To Know About This New Server-Side React Risk 

A new security issue called React2Shell is getting a lot of attention because it puts many server-side React and Next.js setups at risk. If your organisation runs modern web applications, especially those built with React or Next.js, this is something you need to understand and act on quickly. 

This blog explains: 

• What React2Shell is 
• Who is likely to be affected 
• What the risk is for your organisation 
• What actions both technical teams and business leaders should take. 

What is React2Shell? 

React2Shell is a critical vulnerability, the CVSS score 10 (maximum severity) that affects React Server Components, a way of running React code on the server to build web pages. 

In simple terms, It lets an attacker send a specially crafted request to a vulnerable server, the server can be tricked into running the attacker’s code. This is called remote code execution (RCE), meaning the attacker may gain the same level of control as the application itself. 

At that point, an attacker may be able to: 

• Steal or alter data 
• Add hidden backdoors 
• Use the server to move deeper into your environment 
• Disrupt services or plant ransomware 

You do not need to know the low-level technical details, but you do need to treat this as a high risk vulnerability. 

Who could be affected? 

React2Shell matters if your organisation uses React on the server side. You should treat yourself as potentially exposed until proven otherwise if your applications: 

• Use Next.js with the App Router, 
• Use React Server Components, 
• Use Server Actions or similar server-side React features, 
• Perform server-side rendering of React pages based on user input. 

This includes applications: 

• Hosted in the cloud (for example on Vercel, AWS, Azure, GCP), 
• Hosted on your own infrastructure, 
• Hosted by a third party on your behalf. 

Even if your internal teams do not build with React, your third-party or software vendors might, which can still create risk to your information and services. 

Why this matters for your organisation 

React2Shell matters because it combines high risk, active exploitation, and clear governance expectations. 

• High risk: If exploited, an attacker may run their own code on your server. This can lead to data exposure, service disruption, or a foothold inside your wider environment. 
• Actively targeted: Scanning and exploitation attempts are already occurring. If your systems are exposed and unpatched, it is reasonable to assume they will be found quickly. 
• Governance and compliance: Critical vulnerabilities must be managed promptly under common security expectations, including ISO/IEC 27001, ASD Essential Eight, PCI DSS and similar frameworks. A slow response creates risk. 

What should we do? 

Both technical teams and non-technical leaders have a role in managing React2Shell effectively. 

Technical Teams 

1.  Identify exposure 

• Inventory applications using React or Next.js. 
• Confirm which ones use server-side features such as React Server Components, Next.js App Router, Server Actions or server-side rendering. 

2. Patch and update 

• Apply vendor-recommended patches to React and Next.js, prioritising internet-facing systems. 
• Update build and deployment pipelines so that vulnerable versions are not reintroduced. 

3. Add temporary protections where needed 

• Tighten web application firewall (WAF) rules for server-side React endpoints. 
• Filter or block suspicious requests and, if necessary, temporarily disable high-risk features until patches are applied. 

4. Review logs and monitoring 

• Examine logs for unusual or malformed requests, unexpected errors, or suspicious activity targeting server-side routes. 
• Escalate via incident response procedures if there are signs of attempted or successful exploitation. 

Business Leaders 

Senior leaders do not need to manage the technical detail but should ensure there is clear ownership and risk treatment. Helpful questions may include: 

1. “Do we run any systems that use React on the server side, or Next.js with the App Router?” 
2. “Have we checked whether our key software vendors and platforms are affected?” 
3. “Can you provide a short summary of the systems reviewed, the findings, and the changes made?” 
4. “How is this recorded in our risk register?” 
5. “In the meantime, how will we detect suspicious activity, what would our response be?” 

Final Thoughts 

React2Shell is a critical vulnerability, but it is also manageable if you respond quickly and systematically: 

• Understand whether you are exposed, 
• Patch or update affected systems, 
• Add temporary protections where patching is delayed, 
• Review logs and monitoring for signs of misuse, 
• Make sure the work is documented as part of your normal security and risk processes. 

For non-technical leaders, the key is not to learn every technical term, but to make sure someone in your organisation is accountable for this risk, has taken concrete action, and can explain it to you in clear language. 

If you are unsure whether your organisation has been properly protected against React2Shell, ask for a short, written summary from your IT or cyber security team. That one action alone will often reveal whether this has been investigated, assessed and if needed the necessary treatment commenced.