The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.
The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an unauthenticated attacker without requiring any special setup. It’s also tracked as React2Shell.
“Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints,” CISA said in an advisory.
The problem stems from insecure deserialization in the library’s Flight protocol, which React uses to communicate between a server and client. As a result, it leads to a scenario where an unauthenticated, remote attacker can execute arbitrary commands on the server by sending specially crafted HTTP requests.
“The process of converting text into objects is widely considered one of the most dangerous classes of software vulnerabilities,” Martin Zugec, technical solutions director at Bitdefender, said. “The React2Shell vulnerability resides in the react-server package, specifically in how it parses object references during deserialization.”
The vulnerability has been addressed versions 19.0.1, 19.1.2, and 19.2.1 of the following libraries –
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Some of the downstream frameworks that depend on React are also impacted. This includes: Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK.
The development comes after Amazon reported that it observed attack attempts originating from infrastructure associated with Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of public disclosure of the flaw. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz have also reported seeing exploitation efforts targeting the flaw, indicating that multiple threat actors are engaging in opportunistic attacks.
 |
| Image Source: GreyNoise |
Some of the attacks have involved the deployment of cryptocurrency miners, as well as the execution of “cheap math” PowerShell commands to ascertain successful exploitation, followed by running commands to drop in-memory downloaders capable of retrieving an additional payload from a remote server.
Jacob Baines, VulnCheck CTO, told The Hacker News that the company has also seen “a lot of attacks from RondoDox botnet,” which has been steadily expanding its arsenal of N-day vulnerabilities in recent months. Other attacks have distributed Mirai and cryptocurrency miners, as well as running simple checks to determine if the server is vulnerable or run commands like “whoami.”
“So far, we are not seeing any of the tricky payloads like in memory web shells/reverse shells,” Baines added. “Generally speaking, we aren’t seeing typical reverse shells. When an attacker wants to gain execution, it appears that all we are seeing is downloading secondary payloads and executing them.”
According to data shared by attack surface management platform Censys, there are about 2.15 million instances of internet-facing services that may be affected by this vulnerability. This comprises exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK.
The Shadowserver Foundation said it has detected 28,964 IP addresses vulnerable to the React2Shell flaw as of December 7, 2025, down from 77,664 on December 5, with approximately 10,100 located in the U.S., 3,200 in Germany, and 1,690 in China.
In a statement shared with The Hacker News, Palo Alto Networks Unit 42 said it has confirmed over 30 affected organizations across numerous sectors, with one set of activity consistent with a Chinese hacking crew tracked as UNC5174 (aka CL-STA-1015). The attacks are characterized by the deployment of SNOWLIGHT and VShell.
“We have observed scanning for vulnerable RCE, reconnaissance activity, attempted theft of AWS configuration and credential files, as well as installation of downloaders to retrieve payloads from attacker command and control infrastructure,” Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said.
Security researcher Lachlan Davidson, who is credited with discovering and reporting the flaw, has since released multiple proof-of-concept (PoC) exploits, making it imperative that users update their instances to the latest version as soon as possible. Another working PoC has been published by a Taiwanese researcher who goes by the GitHub handle maple3142.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies have until December 26, 2025, to apply the necessary updates to secure their networks.
Exploitation Activity Ramps Up
In a follow-up report, VulnCheck said it has logged hundreds of attack attempts, and that the security defect has been leveraged for various exploits –
- Simple execution-based exploits that make use of existing PoCs to call a reverse shell or run operating system command execution payloads
- Delivering dropper-like payloads to establish permanent access, and
- Running an in-memory web shell
“The post-exploitation story for React2Shell is nearly perfect: a single request that is difficult to detect that results in direct manipulation of the active in-memory runtime that can allow complex manipulation of the back-end server state and access to arbitrary JavaScript runtime actions,” security researcher Cale Black said.
“This is excellent for attackers because it means they can work without touching disk; it also allows for staging of next-step payloads even in environments without writable disks, which greatly decreases the likelihood of leaving artifacts behind.”
Wiz researchers Shir Tamari, Gili Tikochinski, Hila Ramati, and Benjamin Read said the exploitation activity runs a wide gamut from opportunistic cryptocurrency miners and “smash-and-grab” credential harvesting to sophisticated, persistent backdoors leveraging Sliver implants.
Data from the cloud security firm shows that 45% of cloud and code environments have at least one vulnerable React instance, 12% of cloud environments expose vulnerable React or Next.js applications to the internet, and 0.4% of cloud environments show critical indicators of compromise.
“Attackers are using CVE-2025-55182 not just to run one-off commands, but to gain interactive, cloud-aware access to containerized workloads, aggressively harvest secrets, weaken local defenses, and monetize access through cryptomining and backdoor deployment,” the company said.
In addition, attempts to install Cobalt Strike, interactive web shells, and other commodity malware families have been observed. Notable among these is a cross-platform backdoor known as Noodle RAT (aka ANGRYREBEL and Nood RAT) that’s capable of infecting both Windows and Linux systems.
“The critical distinction of this vulnerability is its nature as a deterministic logic flaw in the Flight protocol, rather than a probabilistic error,” Palo Alto Networks Unit 42 said.
“Unlike memory corruption bugs that may fail, this flaw guarantees execution, transforming it into a reliable system-wide bypass for attackers. Amplified by the massive footprint of Next.js in enterprise environments, this creates a direct conduit to sensitive internal data.”
Miggo has also released additional technical details of the flaw, stating it’s triggered during handling of an RSC request and that any server that processes RSC requests is exposed.
“A real attack needs a multipart/form-data payload plus specific Flight protocol operators ($@, $B, $n),” Ben Stav, head of architecture at Miggo, said. “These operators let attackers smuggle unexpected values through the RSC request parser.”
(The story was updated after publication on December 9, 2025, to reflect the latest developments.)
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.