Critical security vulnerabilities have been found in quick succession in React, widely used for website development. The core flaw, React2shell, is classified as a major security vulnerability capable of disabling tens of millions of web servers worldwide at once. Korea's security industry is moving preemptively to prevent the spread of damage.
React is a tool created by Meta for website development that helps implement complex web services more efficiently. Meta first applied it to its own services in 2011 and released it as open source in 2013, and it is now so widely used worldwide that it is considered an essential skill for frontend developers. Facebook and Instagram as well as Airbnb, Netflix, Discord and Twitter overseas, and many corporations in Korea including Toss, Coupang and Kakao Pay use it.
◇ React2shell records a perfect 10 on CVSS, a major security flaw
As of the 20th, according to the security industry, security vulnerabilities related to React are being discovered one after another. The first identified, React2shell (CVE-2025-55182), is a core React vulnerability. It targets a structural defect that occurs in the handling of the Flight protocol, which exchanges screen information between the server and web browser when using the React Server Components (RSC) feature. An attacker can craft data that appears to be a legitimate request and send it to the server; if the server fails to distinguish it, the attacker can execute arbitrary commands internally. In that case, the attacker could seize control of the server itself, not just the service screen. React2shell is also known to affect other React-based frameworks such as Next.js.
The vulnerability is critical, as it recorded a CVSS maximum score of 10. CVSS is an international standard that rates the severity of software security vulnerabilities on a scale from 0.0 to 10.0; the higher the score, the greater the likelihood of exploitation and impact. A CVSS 10.0 means an attack can be carried out over a network without special privileges, and, if exploited, can have severe effects on confidentiality, integrity and availability—the highest risk level. The industry views this flaw as a threat comparable to the Log4j crisis that shook the global IT industry in 2021. Log4j also recorded a CVSS score of 10.
Additional React-related vulnerabilities have been discovered following React2shell. According to the global security outlet The Hacker News, the React community disclosed two new React-related vulnerabilities on the 11th. CVE-2025-55183 is a flaw in which an attacker can send a crafted HTTP request to make the application transmit its source code. CVE-2025-55184 is a vulnerability in which a manipulated request can cause a denial-of-service (DoS) attack that paralyzes the server. Unlike React2shell, the new flaws do not allow remote code execution, but they can be exploited to cripple servers with short exploit code or to steal sensitive information via source code.
The problem is that React and Next.js are used in tens of millions of web services worldwide. Because React is a core tool of global web services, there are concerns that if these vulnerabilities are exploited, the shock could spread across the entire web ecosystem rather than being limited to a single corporation or service. Actual attack activity is also emerging quickly. Within just a few hours of disclosure, signs were detected that Earth Lamia and Jackpot Panda, classified as China state-backed hacker groups, conducted large-scale scanning and intrusion attempts exploiting React2shell. It indicates attackers are randomly scanning servers worldwide to find opportunities to strike.
◇ Korea's security industry moves preemptively, urges "apply the latest patches"
Korea's security industry is taking preemptive action to prevent the spread of damage. The Korea Internet & Security Agency (KISA) on the 5th urged applying the latest patches through its React Server Components security update advisory. KISA then released a list of attack IPs on the 8th via KISA C-TAS, obtained using domestic intelligence and KISA's internal detection systems. It asked that any ransomware infections or data leaks be reported as security incidents without delay.
Domestic security companies are distributing emergency patch versions or free diagnostic services. Theori Inc. released ReactGuard, a diagnostic tool that checks whether a web server is exposed to the React2shell vulnerability. The tool automatically inspects whether a server is vulnerable by simply entering the website address. It enhances safety by requiring no installation and adopting a non-destructive diagnostic method that does not change internal server operations. A dedicated solution is also provided for corporations that need diagnostics in internal networks not exposed externally.
PIOLINK on the 5th urgently distributed dedicated detection and blocking signatures for its WEBFRONT-K web application firewall. By applying WEBFRONT-K's emergency signatures, PIOLINK provides real-time defense functions such as detecting abnormal RSC requests and blocking malicious payloads, enabling immediate protection even before customers apply patches. PIOLINK's Cyber Threat Analysis Team also distributed an inspection script that allows customers to quickly confirm the impact of the vulnerability.
A security industry official said, "As web development environments rapidly shift to open source, the structure has become such that a single vulnerability can severely damage web services across the board," and added, "React2shell is not a simple, isolated flaw; it calls on service operators worldwide to conduct security reviews of their entire development and operations stack."