CVE-2025-55182 and CVE-2025-66478, known as React2Shell, present significant vulnerabilities in React and Next.js applications. These flaws allow remote attackers to execute arbitrary code on servers that use React Server Function endpoints. Exploitation is alarmingly simple, with nearly a 100% success rate in default configurations. The vulnerabilities were first disclosed by React maintainers, and proof of concept (PoC) exploits have since been made public, increasing the likelihood of widespread attacks. Vulnerable systems include any React server using Server Function endpoints, as well as Next.js applications employing the App Router. Developers can identify vulnerable code by checking for the use server; directive in their applications. Even applications that do not explicitly implement Server Functions might be at risk if they support React Server Components. Major versions affected are outlined in a table, with fixed versions available for immediate upgrade. To mitigate these risks, JFrog recommends upgrading to the fixed package versions as soon as possible. If immediate upgrades aren't feasible, Next.js applications can switch to the Pages Router as a temporary measure. Enterprises should act quickly to secure their systems, focusing on package upgrades in the short term, disabling unnecessary features like App Router in the medium term, and implementing Web Application Firewall (WAF) rules for detection in the long run. The vulnerabilities have been actively exploited, with evidence of attacks surfacing just hours after their disclosure.