A new, highly dangerous bug called React2Shell was discovered in December 2025. This bug is in a popular tool (React Server Components) used by millions of websites and applications worldwide.
As soon as it became public, hacking groups quickly began trying to break into vulnerable systems to steal data and install malware.
What’s Happening?
Who is Attacking?
Hackers aren’t just scanning. They are successfully breaking in. Once inside, they are installing dangerous software like:
- Cryptocurrency miners that steal computing power.
- Stealthy backdoors that let them secretly control the server later.
- Tools to steal sensitive information like passwords and cloud credentials
Understanding the Scale and Threat
React is used by an estimated two-fifths of the world’s top 10,000 websites and a vast number of enterprise applications. The Shadowserver scan confirms tens of thousands of vulnerable servers, indicating many organisations may be at risk without knowing it.
Multiple major cybersecurity firms (Amazon, Trend Micro, Datadog) report widespread scanning and active exploitation by various threat groups.
What You Can Do (If You Manage a Website)
If you or your company runs a website or app built with React or Next.js, the action is very clear:
1. Patch Immediately: If you use React (version 19.x) or Next.js (15.x/16.x with App Router), update to the patched versions immediately (e.g., React 19.2.1, Next.js 16.0.7). This is the only permanent fix.2. Review Logs for Indicators of Compromise (IOCs): Check for suspicious activity in your application and server logs from early December 2025 onward. Look for:
a. HTTP POST requests containing next-action or rsc-action-id headers.
b. Requests with payloads containing patterns like “$@” or “status”:”resolved_model”.
c. Unexpected server commands like whoami, id, or attempts to read /etc/passwd.
3. Consider Additional Protections: Whilst not a substitute for patching, ensure your Web Application Firewall (WAF) has the latest rules to block these exploit attempts.
Get A proactive Security Review From Legend Digitech
Our expert cybersecurity specialists can help you:
- Conduct an urgent vulnerability audit to identify any instances of vulnerable React 19 or Next.js 15/16 deployments in your environment.
- Analyse system logs for IOCs to determine if your systems have already been scanned or compromised.
- Implement a verified patching strategy to ensure your updates are complete and effective, closing the door on this critical threat.
- Strengthen defensive posture by reviewing configurations and applying additional security layers to protect against similar future vulnerabilities.
Contact Legend DigiTech today to secure your digital infrastructure against the React2Shell attack.
