Try out Genspark’s all-in-one AI workspace for free - https://www.genspark.ai/?utm_source=yt&utm_campaign=fireship

The JavaScript world just got rocked by a 10.0 critical vulnerability called React2Shell (a.k.a. CVE-2025-55182). Let's find out how this React exploit actually works...

#Coding #programming #javascript #react  

💬 Chat with Me on Discord

https://discord.gg/fireship

🔗 Resources
- https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r

🔥 Get More Content - Upgrade to PRO

Upgrade at https://fireship.io/pro
Use code YT25 for 25% off PRO access 

🎨 My Editor Settings

- Atom One Dark 
- vscode-icons
- Fira Code Font

🔖 Topics Covered

- What is React2Shell?
- CVE-2025-55182 explained
- React Flight
- Which React devs are affected?
- What should you do?

Fireship is a YouTube channel created by Jeff Delaney that offers quick tutorials and explanations on web development, programming, and tech trends. Known for the “100 Seconds of Code” and “The Code Report” series, the channel breaks down complex topics in a short, engaging format, covering everything from JavaScript frameworks to emerging technologies.

Fireship

A critical 10.0 severity vulnerability (CVE-2025-55182) dubbed "React2shell" has been discovered in React's server components flight protocol. The exploit allows attackers to achieve remote code execution without authentication by sending malicious payloads that are deserialized on the server. The vulnerability affects millions of React applications using Next.js and similar frameworks, with over 2 million vulnerable servers estimated. Security researchers observed active exploitation attempts from Chinese hacking groups within hours of disclosure. Developers should immediately check their React server components package versions and update to patched versions.

React.js shell shocked by 10.0 critical vulnerability…

Good I never cared about server components… and good I don’t work for places which uses such things. not fun at all.

The problem is NOT in React. The problem is in server components, especially in NextJS. Y’all stop hating on React and direct that venom where it belongs - at NextJS. :-)

Just remove server components already. It’s not what anyone wants or asked for.