Patch Even If You Haven’t Enabled React Server Components
React2Shell is a new vulnerability which has just been spotted and around 40% of all Cloud environments and 6% of websites are vulnerable to it. It leverages a flaw in React Server Components and even if your app doesn’t use those components, simply being compatible with them is enough to make you vulnerable. It’s a perfect 10 because all it takes is a single HTTP request to trigger it, with a “near-100% reliability” in a successful exploit of the flaw. In this case exploitation means code execution, the researchers haven’t revealed how large the code payload that React2Shell will be able to trigger as not enough systems have been patched.
This isn’t just small private Cloud environments that are vulnerable, “Meta’s Facebook and Instagram, Netflix, Airbnb, Shopify, Hello Fresh, Walmart, and Asana rely on it” in addition to hoards of developer environments. You can check your installed version against the list at Bleeping Computer to ensure you get patched, and hope that the large companies are able to patch quickly without breaking things.
