The React ecosystem is currently dealing with a security incident that escalated way faster than anyone wanted. Multiple vulnerabilities tied to React Server Components, especially the critical remote code execution bug known as React2Shell, moved from disclosure to active exploitation in record time. This is not a theoretical risk or a proof-of-concept living quietly on GitHub. Real servers running real production apps are getting hit, scanned, and compromised at scale.

What Actually Broke

At the core of the problem is how React Server Components handle server actions and deserialize incoming requests through the RSC Flight protocol. In vulnerable versions, an attacker can craft a malicious HTTP payload that tricks the server into executing arbitrary JavaScript. No authentication, no user interaction, no warning signs. If the endpoint exists and is reachable, that is enough. From the server’s perspective, it is just politely executing what it thinks is a valid request. From the attacker’s perspective, it is a free shell.

How Attackers Are Finding Targets

Once details of the vulnerability became public, automated scanning ramped up almost immediately. Attackers deployed bots that sweep IP ranges and cloud providers, probing for exposed RSC endpoints and server action routes. These scanners are optimized for speed, not stealth. They send malformed payloads, watch for specific response patterns, and confirm execution within seconds. If a server responds the “right” way, exploitation follows immediately. There is no human in the loop here. It is industrialized.

What Happens After Exploitation

The first payload is usually small and boring. Attackers tend to start with cryptominers because they are easy money and low effort. After that, things get more creative. Backdoors are dropped to maintain persistent access, often disguised as normal Node processes. From there, attackers enumerate the environment, harvesting secrets from environment variables, configuration files, and runtime memory. API keys, database credentials, cloud tokens, anything the app can access becomes fair game.

Lateral Movement and Deeper Damage

Once attackers have credentials, they rarely stop at the React server itself. Compromised servers are used as launchpads to access internal services, private APIs, and cloud resources. Some incidents show attackers moving laterally into databases and object storage, quietly exfiltrating data. Others indicate staging behavior, where ransomware binaries are uploaded but not executed immediately. That strongly suggests this vulnerability is being used as an initial access vector, not the final punch.

Denial-of-Service as a Bonus Feature

Not every attacker goes for full remote code execution. Some abuse related RSC flaws to trigger denial-of-service conditions instead. By crafting requests that force expensive server-side rendering or recursive processing, attackers can drive CPU and memory usage through the roof with minimal traffic. The server stays technically “up,” but functionally useless. From the outside, it just looks slow and unstable, which is sometimes worse than being fully down.

Source Code Exposure and Reconnaissance

Additional vulnerabilities allow partial source code exposure through malformed RSC requests. While these leaks may seem limited, they are extremely useful to attackers. Leaked component structures, module paths, and internal logic help fine-tune exploits and reduce noisy trial-and-error attempts. In practice, this turns exploitation from guesswork into something much more precise and reliable.

Why This Is So Widespread

React Server Components are often enabled by default in modern frameworks like Next.js. Developers expose server actions assuming the framework handles security correctly, and most deployments sit behind generic proxies without deep request inspection. That combination is perfect for attackers. Defaults are predictable, exposure is broad, and the attack surface is modern enough that many teams did not think to harden it yet.

What Needs to Happen Now

The only real solution is patching. Updated React releases fix the unsafe deserialization paths and harden server action handling. Framework updates pull those fixes in, but only if they are actually applied. Temporary mitigations like WAF rules, endpoint restrictions, and disabling unused server actions can reduce risk, but they do not eliminate it. If the vulnerable code is running, it will eventually be reached.

The Bigger Lesson

This incident is less about React being bad and more about what happens when frontend frameworks grow backend responsibilities. Server-side JavaScript is powerful, fast to adopt, and very unforgiving when security assumptions break. React2Shell is the cost of that power. If your app runs React on the server, assume it has been scanned already, patch aggressively, rotate secrets where necessary, and stop trusting defaults to save you. Attackers definitely did not.