Mar 12
Loading video player...
In this episode, Noel sits down with David Mytton, founder and CEO of Arcjet, to unpack the React2Shell vulnerability and why it became such a serious remote code execution risk for apps using React server components and Next.js. They explain how server-side features introduced in React 19 changed the attack surface, why cloud providers leaned on WAF mitigation instead of instant patching, and what this incident reveals about modern JavaScript supply chain risk. The conversation also covers dependency sprawl, rushed patches, and why security as a feature needs to start long before production. -- Links X: https://x.com/davidmytton Blog: https://davidmytton.blog -- Resources Multiple Threat Actors Exploit React2Shell: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182 --- Fill out our feedback form to help us improve PodRocket! https://forms.gle/xHm5PdAasfYqXYzT7 --- Chapters 00:00 – Intro & guest welcome 01:00 – React “Reactor Shell” vulnerability overview 03:00 – Who is affected: React 19, Next.js, and hidden dependencies 04:30 – Server Components, Server Actions, and the attack surface 06:00 – Development vs production security risk 07:30 – How hosting platforms responded (Vercel, Netlify, AWS) 10:00 – Why patching JavaScript apps is hard 12:00 – Centralization, disclosure, and ecosystem coordination 15:00 – Alert fatigue and dependency noise 17:00 – JavaScript culture and supply chain risk 19:30 – React Shell vs supply-chain attacks 22:00 – Log4Shell comparison and inevitability of vulnerabilities 24:00 – Staying up to date without breaking everything 26:00 – Secure defaults, npm, and ecosystem maturity 29:00 – React Server Components and growing pains 31:30 – Framework complexity and “magic” abstractions 34:00 – Peak framework complexity and simpler alternatives 36:00 – What React Shell changes for developers 38:00 – Practical security advice for developers 40:00 – Closing thoughts and outro --- 🎙 Listen to PodRocket 🎧 Spotify: https://open.spotify.com/show/6oFuKu8... 🎧 Apple Podcasts: https://podcasts.apple.com/us/podcast... 📺 Subscribe on YouTube: @LogRocket Follow on Socials ➡️ Noel Minchow, Host ➡️ Elizabeth Becz, Producer: / elizabethb3cz ➡️ LogRocket: / logrocket --- What does LogRocket do? LogRocket provides AI-first session replay and analytics that surface the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com.