PLAY PODCASTS
React got hacked with David Mytton

React got hacked with David Mytton

In this episode, Noel sits down with David Mytton, founder and CEO of Arcjet, to unpack the React2Shell vulnerability and why it became such a serious remote code execution risk for apps using React server components and Next.js. They explain how server-side features introduced in React 19 changed the attack surface, why cloud providers leaned on WAF mitigation instead of instant patching, and what this incident reveals about modern JavaScript supply chain risk. The conversation also covers dependency sprawl, rushed patches, and why security as a feature needs to start long before production.

PodRocket

December 16, 202537m 54s

Audio is streamed directly from the publisher (dts.podtrac.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

In this episode, Noel sits down with David Mytton, founder and CEO of Arcjet, to unpack the React2Shell vulnerability and why it became such a serious remote code execution risk for apps using React server components and Next.js. They explain how server-side features introduced in React 19 changed the attack surface, why cloud providers leaned on WAF mitigation instead of instant patching, and what this incident reveals about modern JavaScript supply chain risk. The conversation also covers dependency sprawl, rushed patches, and why security as a feature needs to start long before production.

Links

X: https://x.com/davidmytton
Blog: https://davidmytton.blog

Resources

Multiple Threat Actors Exploit React2Shell: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182

We want to hear from you!

How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?

Fill out our listener survey! https://t.co/oKVAEXipxu

Let us know by sending an email to our producer, Elizabeth, at [email protected], or tweet at us at PodRocketPod.

Check out our newsletter! https://blog.logrocket.com/the-replay-newsletter/

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.

Chapters

Topics

React to Shell vulnerabilityReact2ShellReact2Shell vulnerabilityReactor Shell vulnerabilityReact securityReact 19Next.js securityNext.js 15Next.js 14Next.js 13React server componentsserver functionsserver actionsremote code executionenvironment variablescrypto minersdata exfiltrationinternal infrastructure requestsweb application firewallWAF mitigationsupply chain issuesnpm supply chain attacksShai-Hulud attacksdependency tree explosiondependency updatessemantic versioningnpm install scriptsnpm cipackage-lockGitHub security alertsSocket security toolVercelNetlifyAWSGoogle CloudCloudflareruntime mitigationsbug bounty programdev containerspassword manager secretsoutbound firewallsecure by designsecurity as a feature
← All episodes of PodRocket