React2Shell Vulnerability Sparks 1.4 Million Exploit Attempts

React2Shell Vulnerability Sparks 1.4 Million Exploit Attempts

Posted on By CWS

Key Points

  • Over 1.4 million React2Shell exploitation attempts reported in a week.
  • Unauthenticated RCE vulnerability in React.js version 19.
  • Significant activity observed from two primary IP addresses.

In a concerning development for cybersecurity experts, the React2Shell vulnerability has seen a staggering 1.4 million exploitation attempts in the past week, as reported by GreyNoise. This vulnerability, found in version 19 of the popular JavaScript library React (React.js), is identified as CVE-2025-55182 and carries a CVSS score of 10, indicating its critical severity.

Exploit Details and Impact

The React2Shell flaw allows attackers to execute remote code without authentication by sending a single HTTP POST request. The vulnerability gained significant attention after a Metasploit module was released, facilitating its exploitation. Notably, applications that utilize React Server Components (RSC) may also be affected, even if they do not directly use React Server Function endpoints.

This vulnerability was publicly disclosed in early December, and within two days, both state-sponsored hackers and cybercriminal groups began targeting it. This highlights the urgency for developers and system administrators to address the flaw promptly.

Attack Origins and Methods

GreyNoise has observed over 1,000 IP addresses involved in these exploitation attempts, with two addresses standing out due to their significant activity. The IP 193.142.147[.]209 alone accounted for 488,342 attack sessions, equating to 34% of all activity, primarily focusing on deploying reverse shells to gain interactive access.

Similarly, the IP 87.121.84[.]24 was responsible for 311,484 attack sessions, which is 22% of the total malicious activity. These attacks have been linked to the deployment of XMRig cryptocurrency miners, utilizing two specific staging servers.

Ongoing Threats and Server Activity

One of the staging servers used in these attacks has a history of malicious activity dating back to at least 2020. Adjacent IP addresses are currently implicated in distributing Mirai and Gafgyt malware, further emphasizing the persistent threat environment.

This situation underscores the need for robust cybersecurity measures and vigilance to safeguard against such vulnerabilities and their exploitation by malicious actors.

Conclusion

The React2Shell vulnerability represents a significant threat to systems utilizing affected versions of React.js. With over a million attempts to exploit this flaw, it is imperative for organizations to patch their systems and monitor for suspicious activity. Staying informed and responsive to such vulnerabilities is crucial to maintaining cybersecurity resilience.

Security Week News Tags:, , , , , , , , , , , , ,

Related Posts

OpenAI’s Sam Altman Warns of AI Voice Fraud Crisis in Banking OpenAI’s Sam Altman Warns of AI Voice Fraud Crisis in Banking Security Week News
‘MadeYouReset’ HTTP2 Vulnerability Enables Massive DDoS Attacks ‘MadeYouReset’ HTTP2 Vulnerability Enables Massive DDoS Attacks Security Week News
Italy Antitrust Agency Fines Apple 6 Million Over Privacy Feature; Apple Announces Appeal Italy Antitrust Agency Fines Apple $116 Million Over Privacy Feature; Apple Announces Appeal Security Week News
GitLab, Atlassian Patch High-Severity Vulnerabilities GitLab, Atlassian Patch High-Severity Vulnerabilities Security Week News
NASA Needs Agency-Wide Cybersecurity Risk Assessment: GAO NASA Needs Agency-Wide Cybersecurity Risk Assessment: GAO Security Week News
In Other News: 0k for XSS Bugs, HybridPetya Malware, Burger King Censors Research In Other News: $900k for XSS Bugs, HybridPetya Malware, Burger King Censors Research Security Week News