React2Shell Vulnerability Sparks 1.4 Million Exploit Attempts

React2Shell Vulnerability Sparks 1.4 Million Exploit Attempts

Posted on By CWS

Key Points

  • Over 1.4 million React2Shell exploitation attempts reported in a week.
  • Unauthenticated RCE vulnerability in React.js version 19.
  • Significant activity observed from two primary IP addresses.

In a concerning development for cybersecurity experts, the React2Shell vulnerability has seen a staggering 1.4 million exploitation attempts in the past week, as reported by GreyNoise. This vulnerability, found in version 19 of the popular JavaScript library React (React.js), is identified as CVE-2025-55182 and carries a CVSS score of 10, indicating its critical severity.

Exploit Details and Impact

The React2Shell flaw allows attackers to execute remote code without authentication by sending a single HTTP POST request. The vulnerability gained significant attention after a Metasploit module was released, facilitating its exploitation. Notably, applications that utilize React Server Components (RSC) may also be affected, even if they do not directly use React Server Function endpoints.

This vulnerability was publicly disclosed in early December, and within two days, both state-sponsored hackers and cybercriminal groups began targeting it. This highlights the urgency for developers and system administrators to address the flaw promptly.

Attack Origins and Methods

GreyNoise has observed over 1,000 IP addresses involved in these exploitation attempts, with two addresses standing out due to their significant activity. The IP 193.142.147[.]209 alone accounted for 488,342 attack sessions, equating to 34% of all activity, primarily focusing on deploying reverse shells to gain interactive access.

Similarly, the IP 87.121.84[.]24 was responsible for 311,484 attack sessions, which is 22% of the total malicious activity. These attacks have been linked to the deployment of XMRig cryptocurrency miners, utilizing two specific staging servers.

Ongoing Threats and Server Activity

One of the staging servers used in these attacks has a history of malicious activity dating back to at least 2020. Adjacent IP addresses are currently implicated in distributing Mirai and Gafgyt malware, further emphasizing the persistent threat environment.

This situation underscores the need for robust cybersecurity measures and vigilance to safeguard against such vulnerabilities and their exploitation by malicious actors.

Conclusion

The React2Shell vulnerability represents a significant threat to systems utilizing affected versions of React.js. With over a million attempts to exploit this flaw, it is imperative for organizations to patch their systems and monitor for suspicious activity. Staying informed and responsive to such vulnerabilities is crucial to maintaining cybersecurity resilience.

Security Week News Tags:, , , , , , , , , , , , ,

Related Posts

Asheville Eye Associates Says 147,000 Impacted by Data Breach Asheville Eye Associates Says 147,000 Impacted by Data Breach Security Week News
Nike Probing Potential Security Incident as Hackers Threaten to Leak Data Nike Probing Potential Security Incident as Hackers Threaten to Leak Data Security Week News
BlackSuit Ransomware Group Transitioning to ‘Chaos’ Amid Leak Site Seizure BlackSuit Ransomware Group Transitioning to ‘Chaos’ Amid Leak Site Seizure Security Week News
Portal26 Raises Million for Gen-AI Adoption Platform Portal26 Raises $9 Million for Gen-AI Adoption Platform Security Week News
Cyber Insights 2026: Zero Trust and Following the Path Cyber Insights 2026: Zero Trust and Following the Path Security Week News
ICS Devices Bricked Following Russia-Linked Intrusion Into Polish Power Grid ICS Devices Bricked Following Russia-Linked Intrusion Into Polish Power Grid Security Week News