Dec 06, 2025Ravie LakshmananVulnerability / Patch Administration
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday formally added a vital safety flaw impacting React Server Parts (RSC) to its Identified Exploited Vulnerabilities (KEV) catalog following reviews of energetic exploitation within the wild.
The vulnerability, CVE-2025-55182 (CVSS rating: 10.0), pertains to a case of distant code execution that could possibly be triggered by an unauthenticated attacker with out requiring any particular setup. It is also tracked as React2Shell.
“Meta React Server Parts comprises a distant code execution vulnerability that would permit unauthenticated distant code execution by exploiting a flaw in how React decodes payloads despatched to React Server Perform endpoints,” CISA stated in an advisory.
The issue stems from insecure deserialization within the library’s Flight protocol, which React makes use of to speak between a server and consumer. Consequently, it results in a state of affairs the place an unauthenticated, distant attacker can execute arbitrary instructions on the server by sending specifically crafted HTTP requests.
“The method of changing textual content into objects is broadly thought-about one of the crucial harmful lessons of software program vulnerabilities,” Martin Zugec, technical options director at Bitdefender, stated. “The React2Shell vulnerability resides within the react-server bundle, particularly in the way it parses object references throughout deserialization.”
The vulnerability has been addressed variations 19.0.1, 19.1.2, and 19.2.1 of the next libraries –
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
A few of the downstream frameworks that depend upon React are additionally impacted. This contains: Subsequent.js, React Router, Waku, Parcel, Vite, and RedwoodSDK.
The event comes after Amazon reported that it noticed assault makes an attempt originating from infrastructure related to Chinese language hacking teams like Earth Lamia and Jackpot Panda inside hours of public disclosure of the flaw. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz have additionally reported seeing exploitation efforts focusing on the flaw, indicating that a number of menace actors are partaking in opportunistic assaults.
Picture Supply: GreyNoise
A few of the assaults have concerned the deployment of cryptocurrency miners, in addition to the execution of “low-cost math” PowerShell instructions to establish profitable exploitation, adopted by working instructions to drop in-memory downloaders able to retrieving a further payload from a distant server.
In accordance with knowledge shared by assault floor administration platform Censys, there are about 2.15 million cases of internet-facing companies that could be affected by this vulnerability. This contains uncovered internet companies utilizing React Server Parts and uncovered cases of frameworks corresponding to Subsequent.js, Waku, React Router, and RedwoodSDK.
In a press release shared with The Hacker Information, Palo Alto Networks Unit 42 stated it has confirmed over 30 affected organizations throughout quite a few sectors, with one set of exercise in keeping with a Chinese language hacking crew tracked as UNC5174 (aka CL-STA-1015). The assaults are characterised by the deployment of SNOWLIGHT and VShell.
“We now have noticed scanning for weak RCE, reconnaissance exercise, tried theft of AWS configuration and credential recordsdata, in addition to set up of downloaders to retrieve payloads from attacker command and management infrastructure,” Justin Moore, senior supervisor of menace intel analysis at Palo Alto Networks Unit 42, stated.
Safety researcher Lachlan Davidson, who’s credited with discovering and reporting the flaw, has since launched a number of proof-of-concept (PoC) exploits, making it crucial that customers replace their cases to the most recent model as quickly as attainable. One other working PoC has been printed by a Taiwanese researcher who goes by the GitHub deal with maple3142.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Govt Department (FCEB) businesses have till December 26, 2025, to use the mandatory updates to safe their networks.
