Zero-Click Nightmare: Inside the Race to Expose React2Shell in Modern Web Apps

It’s the kind of vulnerability that keeps security pros up at night: a silent, unauthenticated Remote Code Execution flaw lurking at the heart of today’s most popular web frameworks. Dubbed “React2Shell,” this newly unearthed threat is sending shockwaves through the developer and cybersecurity communities, with echoes reminiscent of the notorious Log4j incident. The race is on - not just to patch, but to detect and triage exposure before attackers can weaponize the flaw. At the center of this high-stakes scramble: Burp Suite, the industry’s go-to penetration testing toolkit.

The Vulnerability That Won’t Stay Quiet

First disclosed under CVE-2025-55182 and CVE-2025-66478, React2Shell delivers a nightmare scenario: attackers can execute arbitrary code on vulnerable servers with no authentication required. The flaw targets the very architecture powering countless modern web apps - React Server Components, especially when bundled with Next.js. The scale of exposure is daunting, and experts warn that the speed of exploitation could rival that of the infamous Log4Shell.

What makes React2Shell especially insidious is its stealth: applications may be at risk even if they don’t appear to use the affected features. That means thousands of production systems could be ticking time bombs, invisible to the naked eye.

Burp Suite: The First Line of Detection

With the clock ticking, security teams are turning to Burp Suite, a mainstay in application security. The latest update of its ActiveScan++ extension (v2.0.8) now includes a dedicated React2Shell check - integrated seamlessly into both manual and automated workflows. Once installed, ActiveScan++ scans for the telltale signs of React2Shell during active penetration tests, flagging suspicious behavior in Next.js apps leveraging React Server Components.

For those needing surgical precision, Burp Suite Professional supports custom Bambda scripts, enabling targeted probes of specific endpoints. Meanwhile, organizations managing dozens (or hundreds) of apps can deploy Burp Suite DAST, automating continuous scans across their entire digital estate and feeding results directly to security operations for rapid triage and remediation.

What Should Security Teams Do Now?

The message is clear: treat React2Shell as a top-priority incident. Update your Burp Suite tools, deploy ActiveScan++ v2.0.8, and focus on Next.js applications first. For apps built on other React frameworks, manual investigation remains essential until broader detection capabilities emerge. In this zero-click, zero-day world, proactive detection is the thin red line between business as usual and full-blown compromise.