Talha Tariq and his colleagues at Vercel, the company that maintains Next.js, endured many sleep-deprived nights and weekends when React2Shell was discovered and disclosed soon after Thanksgiving. The defect, which affects vast stretches of the internet’s underlying infrastructure, posed a significant risk for Next.js, an open-source library that depends on vulnerable React Server Components.

He quickly realized he had a major problem to confront with CVE-2025-55182, a maximum-severity vulnerability affecting multiple React frameworks and bundlers that allows unauthenticated attackers to achieve remote code execution in default configurations. 

“It’s literally the very first layer that everybody on the internet interacts with, so from a risk perspective and exposure perspective it’s basically as bad as it could be,” Tariq, the company’s CTO, told CyberScoop.

Tariq and his team initiated and coordinated a massive response effort with major cloud providers, the open source community and technology vendors hours after a developer reported the defect to Meta, which initially created and maintained React before moving the open-source library to the React Foundation in October.

The React team publicly disclosed the flaw with a patch four days later, after Vercel and many other impacted providers implemented platform-level mitigations to minimize damages.

Vercel’s deep integration with and  understanding of React meant it had an outsized responsibility to investigate and share its findings across the industry. Doing so would help validate the patch’s effectiveness and ensure downstream customers understood the potential risk once the vulnerability was disclosed, Tariq said. 

“Nobody slept through the weekend, nobody slept through the night,” he said, adding that it was a 24/7 response for Vercel for a minimum of two weeks — extending beyond the vulnerability disclosure into a cat-and-mouse game with attackers seeking to exploit the defect or bypass the patch.

Cybercriminals, ransomware gangs and nation-state threat groups were all taking swift measures to exploit the vulnerability. 

Palo Alto Networks’ Unit 42 confirmed more than 60 organizations were directly impacted by attacks involving exploitation of the defect by mid-December. Valid public exploits also hit an all-time high, nearing 200 by that time, according to VulnCheck.

Malicious activity targeting React2Shell remains at a “sustained, elevated pace,” cybersecurity firm GreyNoise said in a Wednesday update. The company’s sensors have observed more than 8.1 million attempted attacks since the defect was disclosed, with daily volumes now ranging between 300,000 and 400,000 after peaking in the final weeks of December.

Vercel also responded to React2Shell with a quickly arranged HackerOne bounty program offering $50,000 for each verified technique that bypassed its web application firewall. More than 116 researchers participated, and Vercel ultimately paid out $1 million for 20 unique bypass techniques. 

The company said this work allowed it to block more than 6 million exploit attempts targeting environments running vulnerable versions of Next.js. Tariq said it was the “best million dollars spent,” considering the potential impact and exposure it contained.

Tariq doesn’t look back on the initial response toReact2Shell with regret. Instead, he sees it as motivation to address a persistent challenge rooted in coordination.

The burden to promptly address security issues with the broader community often falls on individuals like Tariq who relied on personal relationships to coordinate an industry-wide response. This involved direct contact and communication with security leaders at Google, Microsoft, Amazon and others, he said. 

“We have to do better as an industry and figure out a more sustaining way to do this,” Tariq said.

The post Inside Vercel’s sleep-deprived race to contain React2Shell appeared first on CyberScoop.