An growing variety of menace actors have been making an attempt to use the crucial vulnerability discovered not too long ago in React, the favored open supply library for creating software consumer interfaces.
The vulnerability, dubbed React2Shell and formally tracked as CVE-2025-55182, might be exploited utilizing specifically crafted HTTP requests for unauthenticated distant code execution. The flaw impacts methods that use React model 19, particularly cases that leverage React Server Parts (RSC).
The existence of the vulnerability got here to mild on December 3, when patches have been launched by React maintainer Meta, which discovered concerning the concern on November 29 from researcher Lachlan Davidson.
Along with React itself, CVE-2025-55182 impacts different frameworks that depend on it, together with Subsequent.js, Waku, React Router, and RedwoodSDK.
React cases impacted by CVE-2025-55182
React is extensively used. It powers thousands and thousands of internet sites, it’s utilized by standard on-line companies resembling Airbnb and Netflix, and its core NPM package deal at present has 60 million weekly downloads.
Nevertheless, as researcher Kevin Beaumont identified, React2Shell solely impacts React model 19, which was launched inside the previous 12 months, and solely cases that use RSC, which additionally grew to become out there inside the previous 12 months. Commercial. Scroll to proceed studying.
“This can be a area of interest setup,” Beaumont mentioned. “A overwhelming majority of organizations gained’t have this setup but, not to mention web going through. The vulnerability was caught rapidly after it was first launched within the new characteristic by the maintainers, so orgs can repair it if they really use it rapidly too.”
The Shadowserver Basis reported seeing greater than 77,000 IPs internet hosting weak React cases.
Censys mentioned on Friday that it had noticed over 250,000 cases of React, Waku, React Router, Subsequent.js, and RedwoodSDK that may very well be weak. Almost 70,000 cases are in the US, adopted by China (30,000), Germany (25,000), and India (13,000).
Cloud safety big Wiz reported that 39% of the cloud environments it displays embody weak React or Subsequent.js variations.
Exploitation of React2Shell
Exploitation of React2Shell began virtually instantly after disclosure. AWS reported that no less than two recognized China-linked menace actors, Earth Lamia and Jackpot Panda, have been exploiting it in assaults since December 3.
Whereas most of the proof-of-concept (PoC) exploits made public shortly after the vulnerability’s disclosure turned out to be pretend or no less than ineffective in real-world environments, working PoCs quickly emerged, and exploitation now appears to have surged.
Palo Alto Networks instructed SecurityWeek that it had confirmed greater than 30 affected organizations throughout varied sectors as of Friday. Justin Moore, senior supervisor of menace intel analysis on the safety agency’s Unit 42, mentioned,
“We’ve got noticed scanning for weak RCE, reconnaissance exercise, tried theft of AWS configuration and credential information, in addition to set up of downloaders to retrieve payloads from attacker command and management infrastructure.
Unit 42 noticed menace exercise we assess with excessive confidence is in keeping with CL-STA-1015 (aka UNC5174), a bunch suspected to be an preliminary entry dealer with ties to the Chinese language Ministry of State Safety. On this exercise, we noticed the deployment of Snowlight and Vshell malware, each extremely in keeping with Unit 42 data of CL-STA-1015 (also called UNC5174).”
Wiz additionally reported figuring out “a number of victims” since December 5, primarily Subsequent.js functions and Kubernetes containers. The corporate has seen makes an attempt to steal AWS credentials, deploy Sliver, and ship cryptocurrency miners.
Risk intelligence agency GreyNoise has noticed exploitation makes an attempt coming from greater than 200 IP addresses over the previous two days. Whereas a lot of the exercise represents automated scanning to seek out weak cases, some assaults contain the deployment of downloaders and different malicious payloads that may result in cryptominers and different malware.
Safety agency Ellio has additionally seen React2Shell assaults, and solely 2% of them have been restricted to reconnaissance. Roughly 65% of assaults tried to ship a Mirai malware, which is usually used to create botnets, in addition to a cryptocurrency miner.
The cybersecurity company CISA has confirmed exploitation and added CVE-2025-55182 to its Identified Exploited Vulnerabilities (KEV) catalog, instructing federal businesses to deal with it of their environments by December 26.
Associated: CISA Warns of ScadaBR Vulnerability After Hacktivist ICS Assault
Associated: Android Zero-Days Patched in December 2025 Safety Replace
