A critical vulnerability in React, identified as CVE-2025-55182, has raised alarms in the cybersecurity community. The flaw allows remote, unauthenticated attackers to execute code. It affects several versions of React, specifically 19.0, 19.1.0, 19.1.1, and 19.2.0, and has been given a high CVSS score of 10. Patches were released shortly after the vulnerability was disclosed on December 3, 2025. React, widely used for building user interfaces, powers millions of websites, including those of major companies like Airbnb and Netflix. The vulnerability, dubbed React2Shell, relates to how React processes data sent to its Server Function endpoints. Even applications not using these endpoints might still be at risk if they support React Server Components. While there haven’t been reports of actual exploitation at the time of writing, proof-of-concept exploits have surfaced, and the flaw is being added to security scanners. Experts anticipate that exploitation attempts will soon follow. Frameworks built on React, like Next.js, are also vulnerable. Vercel, the developer of Next.js, attempted to create a separate CVE identifier but was told it was a duplicate of CVE-2025-55182. Cloud security firm Wiz estimated that 39% of cloud environments contain vulnerable React instances. Major companies, including AWS, Google Cloud, and Cloudflare, have implemented measures to block potential attacks. Meanwhile, various security firms are working on tools to help organizations identify and protect against this vulnerability. Just days after the vulnerability was disclosed, reports emerged of Chinese hackers exploiting React2Shell. As the situation unfolds, the industry is closely monitoring this critical vulnerability, with many expecting widespread attempts to exploit it in the near future.