A critical security flaw, known as React2Shell, has been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. This comes after reports of active exploitation in the wild, raising serious concerns.
The vulnerability, CVE-2025-55182, is a remote code execution issue with a perfect score of 10.0 on the CVSS scale. It allows an unauthenticated attacker to execute arbitrary commands on a server without any special setup, which is highly alarming.
CISA's advisory highlights that this vulnerability lies in Meta's React Server Components, specifically in how React decodes payloads sent to React Server Function endpoints. The root cause is insecure deserialization in the library's Flight protocol, which facilitates communication between a server and a client.
Martin Zugec, technical solutions director at Bitdefender, emphasizes the danger of this vulnerability, stating that the process of converting text into objects is one of the most critical software vulnerabilities. He explains that React2Shell resides in the react-server package, affecting how it parses object references during deserialization.
The good news is that this vulnerability has been addressed in specific versions of the following libraries: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. However, some downstream frameworks dependent on React, such as Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK, are also impacted.
Amazon reported observing attack attempts originating from Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of the flaw's public disclosure. Other security firms, including Coalition, Fastly, GreyNoise, VulnCheck, and Wiz, have also reported exploitation efforts, indicating a widespread and opportunistic attack campaign.
Some of these attacks involve deploying cryptocurrency miners and executing PowerShell commands to confirm successful exploitation. According to Censys, an attack surface management platform, approximately 2.15 million internet-facing services may be affected, including exposed web services using React Server Components and frameworks like Next.js, Waku, React Router, and RedwoodSDK.
Palo Alto Networks Unit 42 confirmed over 30 affected organizations across various sectors, with one set of activity consistent with a Chinese hacking crew, UNC5174 (aka CL-STA-1015). The attacks involve the deployment of SNOWLIGHT and VShell, and the attempted theft of AWS configuration and credential files.
Lachlan Davidson, the security researcher who discovered and reported the flaw, has released multiple proof-of-concept (PoC) exploits, emphasizing the urgency for users to update their instances to the latest secure versions. Another working PoC has been published by a Taiwanese researcher, maple3142, on GitHub.
Federal Civilian Executive Branch (FCEB) agencies have until December 26, 2025, to apply the necessary updates to secure their networks, as per Binding Operational Directive (BOD) 22-01.
This critical vulnerability and its active exploitation highlight the importance of timely security updates and the need for organizations to stay vigilant against emerging threats.
What are your thoughts on this widespread security issue? Do you think organizations are doing enough to protect themselves from such vulnerabilities? Share your insights in the comments below!
