Cybool Logo
ENES
Back to Blog
Threat Intelligence

React2Shell: The Critical Web Vulnerability Affecting Millions of Sites (December 2025 Update)

C

Cybool Team

Cybersecurity & Compliance Team

December 11, 2025
4 min read

React2Shell: The Critical Web Vulnerability Affecting Millions of Sites (December 2025 Update)

A new security flaw—nicknamed React2Shell—has become one of the most serious web vulnerabilities of the past few years. It affects React Server Components and Next.js, two of the most widely used technologies powering modern websites, SaaS platforms, customer portals, CRMs, and internal dashboards.

If your company uses React or Next.js, this update matters to you.

Why This Vulnerability Matters

Huge ecosystem impact:

• React used by 20M+ developers

• 3M+ production websites running Next.js

• ~45% of SaaS companies rely on these technologies

This makes the attack surface extremely large.

Unauthenticated Remote Code Execution (RCE):

Attackers can run commands on a server without logging in.

Active exploitation:

Millions of scans detected in early December; confirmed intrusions across multiple sectors.

What Actually Happened?

The flaw is in React Server Components (RSC). A weakness in how RSC processes data allows attackers to send a crafted request and trick the server into executing code. This impacts SaaS products, dashboards, internal tools, APIs, and customer-facing web apps.

Who Is Affected?

React (CVE-2025-55182): Any app running vulnerable React 19 RSC packages.

Next.js (CVE-2025-66478): Apps using the App Router on older versions.

Commercial Impact

• Exposure of customer data

• Business downtime and suspended services

• Reputational damage

• Possible regulatory issues (GDPR, NIS2, PCI, contracts)

Key Statistics

• 20M+ React developers

• 3M+ Next.js sites

• 45% of SaaS relies on React frameworks

• CVSS score 10/10

• Millions of exploit attempts within one week

• Confirmed compromises in multiple countries

What Companies Should Do

  1. Verify whether the product uses React Server Components or Next.js App Router.

  2. Apply the official patch immediately and redeploy.

  3. Review access logs for unusual activity.

  4. Rotate sensitive credentials.

  5. Brief internal teams.

Need help assessing your exposure or responding to this vulnerability? Contact Cybool's security team for immediate assistance.

Tags:

ReactNext.jsCVERemote Code ExecutionWeb SecurityVulnerability

Related Articles

The Incident No One Is Talking About: How a Single Misconfigured SaaS App Took Down an Entire Supply Chain
Threat Intelligence

The Incident No One Is Talking About: How a Single Misconfigured SaaS App Took Down an Entire Supply Chain

A mid-sized European logistics firm went dark in May 2026 — not from a zero-day, but from a forgotten OAuth token in a third-party project management app. This is the threat that isn’t making headlines, but should be.

Read More
12 Minutes to Containment: How an MDR SOC Caught a 2026 Ransomware Staging Attack Before Encryption Started
Threat Intelligence

12 Minutes to Containment: How an MDR SOC Caught a 2026 Ransomware Staging Attack Before Encryption Started

On a Tuesday in March 2026, an MDR analyst saw a single anomalous PowerShell command at 02:47 local time. By 02:59, the attack had been contained without a single file encrypted. Here is the minute-by-minute timeline.

Read More
AI-Generated Malware in 2026: How APT36's "Vibeware" Is Overwhelming Cyber Defenses
Threat Intelligence

AI-Generated Malware in 2026: How APT36's "Vibeware" Is Overwhelming Cyber Defenses

APT36 is producing a new malware variant every day using AI coding tools — each one written in a different language, each one invisible to your detection tools. Here's what vibeware is, how it works, and what your organization must do now.

Read More

Ready to Strengthen Your Cybersecurity?

Talk to our experts about protecting your organization with enterprise-grade security solutions.