The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.
The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an unauthenticated attacker without requiring any special setup. It’s also tracked as React2Shell.
“Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints,” CISA said in an advisory.
The problem stems from insecure deserialization in the library’s Flight protocol, which React uses to communicate between a server and client. As a result, it leads to a scenario where an unauthenticated, remote attacker can execute arbitrary commands on the server by sending specially crafted HTTP requests.
“The process of converting text into objects is widely considered one of the most dangerous classes of software vulnerabilities,” Martin Zugec, technical solutions director at Bitdefender, said. “The React2Shell vulnerability resides in the react-server package, specifically in how it parses object references during deserialization.”
The vulnerability has been addressed versions 19.0.1, 19.1.2, and 19.2.1 of the following libraries –
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Some of the downstream frameworks that depend on React are also impacted. This includes: Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK.
The development comes after Amazon reported that it observed attack attempts originating from infrastructure associated with Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of public disclosure of the flaw. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz have also reported seeing exploitation efforts targeting the flaw, indicating that multiple threat actors are engaging in opportunistic attacks.
 |
| Image Source: GreyNoise |
Some of the attacks have involved the deployment of cryptocurrency miners, as well as the execution of “cheap math” PowerShell commands to ascertain successful exploitation, followed by running commands to drop in-memory downloaders capable of retrieving an additional payload from a remote server.
According to data shared by attack surface management platform Censys, there are about 2.15 million instances of internet-facing services that may be affected by this vulnerability. This comprises exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK.
In a statement shared with The Hacker News, Palo Alto Networks Unit 42 said it has confirmed over 30 affected organizations across numerous sectors, with one set of activity consistent with a Chinese hacking crew tracked as UNC5174 (aka CL-STA-1015). The attacks are characterized by the deployment of SNOWLIGHT and VShell.
“We have observed scanning for vulnerable RCE, reconnaissance activity, attempted theft of AWS configuration and credential files, as well as installation of downloaders to retrieve payloads from attacker command and control infrastructure,” Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said.
Security researcher Lachlan Davidson, who is credited with discovering and reporting the flaw, has since released multiple proof-of-concept (PoC) exploits, making it imperative that users update their instances to the latest version as soon as possible. Another working PoC has been published by a Taiwanese researcher who goes by the GitHub handle maple3142.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies have until December 26, 2025, to apply the necessary updates to secure their networks.
