An increasing number of threat actors have been attempting to exploit the critical vulnerability found recently in React, the popular open source library for creating application user interfaces.
The vulnerability, dubbed React2Shell and officially tracked as CVE-2025-55182, can be exploited using specially crafted HTTP requests for unauthenticated remote code execution. The flaw impacts systems that use React version 19, specifically instances that leverage React Server Components (RSC).
The existence of the vulnerability came to light on December 3, when patches were released by React maintainer Meta, which learned about the issue on November 29 from researcher Lachlan Davidson.
In addition to React itself, CVE-2025-55182 impacts other frameworks that rely on it, including Next.js, Waku, React Router, and RedwoodSDK.
React instances impacted by CVE-2025-55182
React is widely used. It powers millions of websites, it’s used by popular online services such as Airbnb and Netflix, and its core NPM package currently has 60 million weekly downloads.
However, as researcher Kevin Beaumont pointed out, React2Shell only affects React version 19, which was released within the past year, and only instances that use RSC, which also became available within the past year.
“This is a niche setup,” Beaumont said. “A vast majority of organizations won’t have this setup yet, let alone internet facing. The vulnerability was caught quickly after it was first introduced in the new feature by the maintainers, so orgs can fix it if they actually use it quickly too.”
The Shadowserver Foundation reported seeing more than 77,000 IPs hosting vulnerable React instances.
Censys said on Friday that it had observed over 250,000 instances of React, Waku, React Router, Next.js, and RedwoodSDK that could be vulnerable. Nearly 70,000 instances are in the United States, followed by China (30,000), Germany (25,000), and India (13,000).
Cloud security giant Wiz reported that 39% of the cloud environments it monitors include vulnerable React or Next.js versions.
Exploitation of React2Shell
Exploitation of React2Shell started almost immediately after disclosure. AWS reported that at least two known China-linked threat actors, Earth Lamia and Jackpot Panda, have been exploiting it in attacks since December 3.
While many of the proof-of-concept (PoC) exploits made public shortly after the vulnerability’s disclosure turned out to be fake or at least ineffective in real-world environments, working PoCs soon emerged, and exploitation now seems to have surged.
Palo Alto Networks told SecurityWeek that it had confirmed more than 30 affected organizations across various sectors as of Friday. Justin Moore, senior manager of threat intel research at the security firm’s Unit 42, said,
“We have observed scanning for vulnerable RCE, reconnaissance activity, attempted theft of AWS configuration and credential files, as well as installation of downloaders to retrieve payloads from attacker command and control infrastructure.
Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015 (aka UNC5174), a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security. In this activity, we observed the deployment of Snowlight and Vshell malware, both highly consistent with Unit 42 knowledge of CL-STA-1015 (also known as UNC5174).”
Wiz also reported identifying “multiple victims” since December 5, mainly Next.js applications and Kubernetes containers. The company has seen attempts to steal AWS credentials, deploy Sliver, and deliver cryptocurrency miners.
Threat intelligence firm GreyNoise has observed exploitation attempts coming from more than 200 IP addresses over the past two days. While much of the activity represents automated scanning to find vulnerable instances, some attacks involve the deployment of downloaders and other malicious payloads that can lead to cryptominers and other malware.
Security firm Ellio has also seen React2Shell attacks, and only 2% of them were limited to reconnaissance. Roughly 65% of attacks attempted to deliver a Mirai malware, which is typically used to create botnets, as well as a cryptocurrency miner.
The cybersecurity agency CISA has confirmed exploitation and added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog, instructing federal agencies to address it in their environments by December 26.
Related: CISA Warns of ScadaBR Vulnerability After Hacktivist ICS Attack
Related: Android Zero-Days Patched in December 2025 Security Update
