Is React2Shell the new Log4Shell?

Is React2Shell the new Log4Shell?

Briefly

"A vulnerability in the ubiquitous logging software Log4j caused immediate turmoil when it was revealed at the end of 2021. Detecting it proved easier said than done in the months and years that followed, resulting in millions of attempts to exploit it and software that remains unpatched. At the end of 2025, React2Shell emerged, another serious cyber threat that could have a major impact. What do we know so far, and is this a full-fledged successor to Log4Shell?"

"CVE-2025-55182 is the current vulnerability in React Server Components (RSC), specifically versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. Based on the CVSS score, its severity is equal to Log4Shell: 10.0, the maximum score. That score is more common than you would expect for a maximum and is virtually a given due to the remote code execution capabilities that hackers have after exploitation. The payload here is a targeted HTTP request to a React/Next.js server endpoint for RSC."

"It is now known that more than 30 companies in various sectors have fallen victim to React2Shell, just five days after it became known. Chinese state actors in particular struck within hours, AWS reported the day after the announcement. The hyperscaler quickly identified them thanks to honeytokens (fake credentials created to monitor attacks) and the firewall rules that were already in place. Nevertheless, many attackers and victims could follow - assuming they do not patch or do not patch in time."