React2Shell emerged with significant noise due to a large patch addressing CVE-2025-55182. This patch, about 700 lines long, included a mix of genuine fixes and unrelated changes, which obscured the actual vulnerabilities. As researchers scrambled to analyze the patch, they often grasped at misleading clues, leading to incorrect assumptions and ineffective proof-of-concept (PoC) exploits. The article emphasizes the confusion caused by the patch and clarifies the real technical issues. Key misunderstandings included misinterpretations of the $F primitive and the loadServerReference code path. Researchers mistakenly thought these were avenues for exploitation when, in reality, they did not form a valid exploit path. Many early PoCs relied on mocked internal server behaviors rather than reflecting real application conditions, which is why they failed outside controlled environments. The article points out that the vulnerability activates much earlier in the request lifecycle than previously thought, specifically during React Server Component (RSC) request handling. A real attack requires a multipart/form-data payload and specific Flight protocol operators, such as $@ and $B, which allow attackers to manipulate values through the RSC request parser. Importantly, any server processing RSC requests is vulnerable, regardless of whether it has defined Server Functions. Traditional server-side rendering setups that do not handle RSC requests remain unaffected. The article also warns against overreliance on AI tools in security research, noting that they can quickly lead teams into plausible but incorrect theories when dealing with complex systems.