A vital unauthenticated distant code execution vulnerability dubbed “React2Shell” is actively being exploited within the wild, placing hundreds of thousands of internet providers in danger.
On December 3, React disclosed CVE-2025-55182, a vital flaw in React Server Elements with a CVSS rating of 10.
The vulnerability stems from insecure deserialization throughout the “Flight” protocol utilized by React Server Elements.
Attackers can execute arbitrary code on susceptible servers by sending specifically crafted HTTP requests to Server Perform endpoints with out requiring authentication. This enables risk actors to realize full management of affected programs.
Amazon Internet Providers researchers reported that China-nexus risk actors, together with Earth Lamia and Jackpot Panda, started exploiting this vulnerability inside 24 hours of its public disclosure.
The attackers are concentrating on susceptible cloud-hosted functions utilizing React Server Elements. Typically, they deploy internet shells and backdoors shortly after gaining preliminary entry.
FieldDetailsCVE-IDCVE-2025-55182CVSS Score10.0 (Crucial)Vulnerability TypeUnauthenticated Distant Code ExecutionAffected VersionsReact 19.0.0, 19.1.0, 19.1.1, 19.2.0
As of December 5, CISA added CVE-2025-55182 to its Recognized Exploited Vulnerabilities Catalog, underscoring the severity and lively exploitation of this flaw.
GreyNoise has additionally documented opportunistic exploitation makes an attempt in opposition to their honeypots, indicating widespread scanning and exploitation exercise throughout the web.
In line with Censys, roughly 2.15 million internet-facing internet providers could also be affected by this vulnerability.
These embody uncovered providers operating React Server Elements and affected frameworks equivalent to Subsequent.js, Waku, React Router, and RedwoodSDK.
Whereas this depend displays software program publicity reasonably than confirmed susceptible variations, the size of potential affect is critical given the recognition of those frameworks.
The vulnerability impacts React Server Elements packages, together with react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, in variations 19.0.0 by 19.2.0.
A number of widespread frameworks rely upon these packages, together with Subsequent.js variations 14.3.0-canary.77 and above when utilizing App Router, React Router RSC preview, Waku, Vite RSC Plugin, Parcel RSC Plugin, and RedwoodSDK.
Pure client-side React functions that don’t run server-side parts usually are not affected.
Nevertheless, functions implementing React Server Elements stay susceptible even when they don’t explicitly use Server Perform endpoints.
Mounted variations are actually accessible. Organizations ought to instantly replace to React 19.0.1, 19.1.2, or 19.2.1.
Subsequent.js customers ought to improve to variations 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7 relying on their present model.
Whereas WAF suppliers, together with Cloudflare and AWS, have deployed protecting rule units, some proof-of-concept exploits reveal bypass methods. Patching stays probably the most dependable mitigation technique.
Given the lively exploitation, most severity rating, and widespread framework adoption, organizations operating React Server Elements ought to deal with this as an emergency patch precedence.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
