JFrog continues to track and provide updates on React2Shell at research.jfrog.com. What happened A critical React vulnerability – CVE-2025-55182 (and the corresponding CVE-2025-66478 in Next.js) was published by the React maintainers. The vulnerability was named “React2Shell” by the original researcher as it leads to arbitrary code execution by remote (possibly unauthenticated) attackers. A remote attacker could craft a …