React2Shell (CVE-2025-55182/CVE-2025-66478)

It is very strange that this didn't make it to the front page of HN. I've just received an email from DigitalOcean that my VPS/droplet had been used in a DDoS attack, and a few hours latter another email, again from DigitalOcean, saying that I'm running software that has a vulnerability with CVE score of 10. I guess not a lot of CVEs get a score of 10, and not for a framework as widespread as React and Next.

It has a note on invalid PoCs:

> We have seen a rapid trend of "Proof of Concepts" spreading which are not genuine PoCs.

From the reporter of the React vulnerablility, Lachlan Davidson