Note: Before we dive in, Check Point CloudGuard WAF customers were proactively protected and not affected by React2Shell.

In early December 2025, the team behind React—the most widely used technology powering today’s websites and digital services—announced a critical security flaw in one of its new server features. Researchers call this bug React2Shell, and it’s rated CVSS 10.0 — the highest severity! It’s rated critical because it can let a stranger run code on your server without needing to log in or do anything. They only need to send a special request.

No password.
No account.
No user interaction.

Just a single malicious request.

Here’s how it works (in everyday terms):

  • Normally, when a browser asks a React-based site for something, React packages the request, sends it to the server, and the server decodes and processes it.
  • With this bug, that decoding process is broken: if someone crafts a specially malicious request, the server might decode it in a way that lets the attacker inject and run arbitrary code — giving full control of the server.
  • And crucially: this can happen without any login or interaction from a real user.

In other words: a website using React Server Components — even with no extra “server function” features — may be accidentally exposing its backend to takeover if it hasn’t patched this.

Why This Matters for Customer Experience and Business Operations

To put this into real-world terms:

Imagine a customer-facing web application—say, a platform that processes enrollment, handles travel reservations, manages insurance claims, books patient appointments, or provides digital banking services. These platforms often run on frameworks built with React.

With React2Shell, an attacker can:

  • Gain full access to the application server
  • Intercept customer data being submitted
  • Inject fake transactions, alter records, or shut services down
  • Steal sensitive information such as personal data, account details, or internal business logic
  • Use the compromised server to move deeper into the company’s environment

In short: a customer-facing experience you rely on for revenue, brand trust, and daily operations could be silently taken over.

This is not a theoretical risk—React sits at the center of modern digital customer journeys across every industry. When the foundation has a flaw, the business impact cascades.

Who is Impacted

Any web application built with React (version 19.x) — or a framework that relies on React’s Server Components — is potentially vulnerable. Key affected pieces include:

  • React 19 with server-side functionality
  • Next.js 15.x or 16.x (widely adopted for modern digital platforms)
  • Other emerging frameworks that rely on React Server Components

If your app only uses React on the client side (i.e. runs entirely in the browser), or doesn’t use any of the RSC-enabled tooling/bundlers, you are not affected.

Why It’s A Big Deal — Real-World Impact
  • The vulnerability is “zero-click”: no user action, no credentials needed. Attackers just need to send one crafted HTTP request. That makes it very easy to automate and scale.
  • Many sites and cloud applications are built with React + Next.js (or similar frameworks). That means a large fraction of modern web apps could be vulnerable by default — even if developers didn’t explicitly opt into “server functions.”
  • Security teams around the world have warned this is a top-priority “patch-now” issue.

Because of all that, the release of this vulnerability triggered a rush among infrastructure and web-security providers to protect apps — whether or not developers have already patched them.

What You Should Do Right Now (If You Maintain React Apps)
  1. Check whether you’re vulnerable (Spoiler Alert: CloudGuard WAF customers are already protected)

Work with IT and application teams to confirm whether any customer-facing applications use the vulnerable components.

  1. Patch immediately if you are vulnerable

Patches are available and should be applied as a priority.

  1. Harden your perimeter during rollout

Even well-resourced teams cannot patch instantly. This is when external protections, such as a WAF, matter most.

But not All WAF Solutions are the Same- This is Why Prevention-First Security Matters

On December 5, 2025, Cloudflare rolled out an emergency mitigation to respond to the widespread critical vulnerability. However — in doing so — a change in how Cloudflare’s Web Application Firewall parsed requests caused unintended disruption. This mis-configuration triggered a global outage: many sites went down with 500 Internal Server Errors. Cloudflare later clarified that the outage wasn’t due to an external attack — but was triggered by the emergency patch itself for React2Shell.

This underscores a broader point: when a framework-level vulnerability is as severe and widespread as React2Shell, it doesn’t just affect individual apps — it can cause ripple-effects across internet infrastructure. Broad patch adoption, robust defense-in-depth (like WAF), and careful rollout processes become essential.

That is why Check Point stresses having a prevention-first approach to security. While many organizations scrambled to patch and some infrastructure providers experienced disruptions, customers using Check Point CloudGuard WAF were not impacted by React2Shell exploit attempts.

This is because:

  • The engine performs full decoding of complex HTTP bodies.
  • It detects abnormal request patterns associated with deserialization and RCE.
  • It blocks malicious payloads automatically—even before any CVE-specific rule exists.

During internal testing, the WAF successfully blocked public React2Shell proof-of-concept exploits out-of-the-box, without requiring emergency updates or signatures.

For customers, that meant:

✔ No downtime
✔ No emergency rule tuning
✔ No exposure window while patches were still being rolled out

CloudGuard WAF delivered automatic, preemptive protection ensuring users stayed safe throughout the React2Shell incident- without requiring any manual intervention. To further enhance this, Check Point is now adding dedicated, complementary protections specifically optimized for React Server Components traffic. This includes new attack indicators integrated into our core ML engine and an additional IPS rule, providing even tighter security while maintaining our industry-leading low false-positive rates

For more information on Check Point CloudGuard WAF, and to see how it stacks up to the most extreme CVEs, check out the WAF Comparison Project.

You may also like