CISA has added a critical security flaw in React Server Components to its Known Exploited Vulnerabilities catalog after reports of active exploitation in the wild. The vulnerability, CVE-2025-55182, also known as React2Shell, carries a CVSS score of 10.0 and allows unauthenticated remote code execution without requiring any special setup. According to CISA, the issue arises from a flaw in how React decodes payloads sent to React Server Function endpoints, enabling attackers to execute arbitrary commands on servers by sending specially crafted HTTP requests. The root cause stems from insecure deserialization within the Flight protocol, which React uses to facilitate server-client communication, making the process of converting text into objects particularly risky.
Industry experts have emphasized the severity of the vulnerability. Martin Zugec, technical solutions director at Bitdefender, explained that the React2Shell flaw resides in the react-server package and specifically affects the parsing of object references during deserialization. The vulnerability has been addressed in versions 19.0.1, 19.1.2, and 19.2.1 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Several frameworks built on React are also impacted, including Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK. Following public disclosure, Amazon reported attempted attacks originating from infrastructure linked to Chinese-affiliated groups Earth Lamia and Jackpot Panda, and other monitoring organizations such as Coalition, Fastly, GreyNoise, VulnCheck, and Wiz observed exploitation efforts targeting this flaw.
Some of the observed attacks have involved cryptocurrency miners and execution of PowerShell commands to verify successful exploitation, followed by in-memory downloaders fetching additional payloads from remote servers. Data from attack surface management platform Censys indicates roughly 2.15 million internet-facing instances may be affected, including web services running React Server Components and frameworks like Next.js and RedwoodSDK. Shadowserver Foundation reported 28,964 vulnerable IP addresses as of December 7, 2025, with significant concentrations in the U.S., Germany, and China, reflecting a decline from previous scans conducted on December 5.
Palo Alto Networks Unit 42 confirmed over 30 affected organizations across multiple sectors, noting activity consistent with Chinese hacking crews tracked as UNC5174, deploying malware families including SNOWLIGHT and VShell. Scanning, reconnaissance, theft of AWS credentials, and installation of downloaders were observed in these campaigns. Security researcher Lachlan Davidson, credited with reporting the flaw, has released proof-of-concept exploits, while another PoC has been published by a Taiwanese researcher known as maple3142. Following Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies are required to apply necessary updates to secure networks by December 26, 2025.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
