Two China-linked threat actors have already begun exploiting a newly disclosed vulnerability in React Server Components (RSC), just hours after technical details became public. The flaw, known as React2Shell and tracked as CVE-2026-55182, allows attackers to execute arbitrary code on vulnerable servers without needing any login credentials.
What Is React2Shell (CVE-2026-55182)?
React2Shell is a remote code execution (RCE) vulnerability affecting certain versions of React that use Server Components. In practice, this means an attacker can send specially crafted requests to a vulnerable server and make it run commands of their choice.
The React team has released patched versions that address the issue. If you are running React versions earlier than the fixed releases (such as 19.0.1, 19.1.2, or 19.2.1 and newer), you should assume you are at risk and update immediately.
Why This Vulnerability Is So Dangerous
- React is everywhere: It is one of the most widely used JavaScript libraries
- Server-side impact: The bug affects server components
- No authentication needed: Can be exploited without valid credentials
- Fast weaponization: Threat actors started exploiting it within hours
How to Protect Your Applications
1. Patch React - Upgrade to a patched version (19.0.1, 19.1.2, 19.2.1 or later)
2. Audit Your Infrastructure - Identify all applications using React Server Components
3. Monitor for Suspicious Activity - Review logs for unusual commands





































































































































































































































