Headline
Critical React2Shell Vulnerability (CVE-2025-55182) Analysis: Surge in Attacks Targeting RSC-Enabled Services Worldwide
Torrance, United States / California, December 12th, 2025, CyberNewsWire In December 2025, CVE-2025-55182 (React2Shell), a vulnerability in React…
Torrance, United States / California, December 12th, 2025, CyberNewsWire
In December 2025, CVE-2025-55182 (React2Shell), a vulnerability in React Server Components (RSC) that enables remote code execution (RCE), was publicly disclosed. Shortly after publication, multiple security vendors reported scanning activity and suspected exploitation attempts, and CISA has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.
React2Shell is not tied to a specific framework; rather, it stems from a structural weakness in the RSC feature that affects the broader React ecosystem. This article examines the technical foundation of React2Shell, the exposure landscape of services using RSC, observed attacker activity, and the defensive strategies organizations should adopt.
****React2Shell Vulnerability Overview: A Structural Flaw Allowing RCE Without Authentication****
CVE-2025-55182 is caused by a validation flaw in the deserialization process of the Flight protocol, which React Server Components use to exchange state between the server and client. An attacker can achieve RCE simply by sending a crafted payload to the Server Functions endpoint without authentication, and because a PoC is already publicly available, the vulnerability is highly susceptible to automated attacks.
The impact extends to all services that use RSC, and because frameworks such as Next.js, React Router RSC, Waku, Vite RSC Plugin, Parcel RSC Plugin, and RedwoodJS share the same underlying structure, the broader React ecosystem is collectively exposed.
The official patch is available in react-server-dom-* packages version 19.0.1 / 19.1.2 / 19.2.1 or later, and the vulnerability is rated CVSS 10.0, indicating critical severity.
****Exposure Analysis of React2Shell-Affected Assets Using Criminal IP****
React2Shell is difficult to detect using traditional product banners or HTML content alone. React-based services are designed so that RSC components are not externally exposed, and frameworks like Next.js, which vendor React modules internally, make it even harder to identify the underlying technology stack. As a result, simple banner-based detection methods cannot reliably determine whether RSC is enabled or whether a service is exposed to this vulnerability.
In real-world environments, the most reliable detection method is to identify systems based on their HTTP response headers, and servers with RSC enabled consistently exhibit the following values.
Criminal IP Search Query: “Vary: RSC, Next-Router-State-Tree”
Users can detect RSC-enabled servers in the United States using Criminal IP by applying queries based on these header patterns.
Criminal IP Search Query: “Vary: RSC, Next-Router-State-Tree” country: “US”
According to the Criminal IP Asset Search results, the query “Vary: RSC, Next-Router-State-Tree” country: “US” identified a total of 109,487 RSC-enabled assets. This header pattern indicates that RSC is active on these servers. While it does not mean that all of them are vulnerable, it is a critical indicator of the large-scale exposure surface that exists.
When examining the analysis results for a specific asset in Criminal IP, the server was found to have ports 80 and 443 exposed externally, and its response headers, SSL certificate details, vulnerability list, and Exploit DB associations could all be reviewed in a single unified page. In this asset, indicators relevant to React2Shell were identified alongside other critical vulnerabilities, including CVE-2023-44487 (HTTP/2 Rapid Reset), which has been widely abused in large-scale DDoS attacks.
This demonstrates how Criminal IP Asset Search provides multiple analysis layers that help assess whether an environment is realistically exploitable by attackers.
****Security Mitigation Strategies****
1. Immediate Update of React-Related Packages
Organizations should immediately update all React-related packages to their latest patched releases. The react-server-dom-webpack package must be upgraded to version 19.0.1, 19.1.2, or 19.2.1, while react-server-dom-parcel and react-server-dom-turbopack should be updated to version 19.0.1 or later to ensure they are protected from the vulnerability.
2. Verify Patch Availability for Each Framework
React RSC is used across multiple frameworks, including Next.js, Vite, Parcel, and RedwoodJS. Notably, Next.js vendors RSC internally, meaning that updating React packages alone may not automatically apply the fix. Therefore, it is essential to review each framework’s official security advisories or release notes and upgrade to the version in which the vulnerability has been addressed.
3. Minimize External Exposure of RSC Endpoints
Whenever possible, restrict access using a reverse proxy, WAF or authentication gateway.
4. Leverage Criminal IP for Monitoring
- Monitor exposure of RSC-related header
- Automatically block malicious scanning IPs
- Detect scanning attempts based on TLS fingerprints
- Check for vulnerability presence and associated Exploit DB entries
****The Analysis’s** **Conclusion****
React2Shell (CVE-2025-55182) is a critical vulnerability affecting the most widely used React-based services across the web ecosystem. With low exploitation complexity and publicly available PoCs, active attacks are spreading rapidly.
According to Criminal IP analysis, approximately 110,000 RSC-enabled services in the United States are exposed, underscoring the substantial risk of widespread exploitation. In addition to applying patches, identifying exposed RSC services and conducting real-time monitoring are essential components of an effective React2Shell response strategy. Criminal IP provides one of the most effective tools for accurately mapping this attack surface and strengthening defensive measures.
In relation to this, users can refer to Next.js Middleware Vulnerability Allows Authentication Bypass: Over 520K Assets at Risk.
****About Criminal IP****
Criminal IP is the flagship cyber threat intelligence platform developed by AI SPERA. The platform is used in more than 150 countries and provides comprehensive threat visibility through enterprise security solutions such as Criminal IP ASM and Criminal IP FDS.
Criminal IP continues to strengthen its global ecosystem through strategic partnerships with Cisco, VirusTotal and Quad9. The platform’s threat data is also available through major US data warehouse marketplaces, including Amazon Web Services (AWS), Microsoft Azure and Snowflake. This expansion improves global access to high-quality threat intelligence from Criminal IP.
****Contact****
Michael Sena
AI SPERA
[email protected]
Related news
Cybersecurity researchers have disclosed details of a persistent nine-month-long campaign that has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox. As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial access vector, CloudSEK said in an
This week’s ThreatsDay Bulletin tracks how attackers keep reshaping old tools and finding new angles in familiar systems. Small changes in tactics are stacking up fast, and each one hints at where the next big breach could come from. From shifting infrastructures to clever social hooks, the week’s activity shows just how fluid the threat landscape has become. Here’s the full rundown of what
A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as…
If you use a smartphone, browse the web, or unzip files on your computer, you are in the crosshairs this week. Hackers are currently exploiting critical flaws in the daily software we all rely on—and in some cases, they started attacking before a fix was even ready. Below, we list the urgent updates you need to install right now to stop these active threats. ⚡ Threat of the Week Apple and
The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical bug in RSC that has since been weaponized in
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization
React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress. This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based
Sysdig discovered North Korea-linked EtherRAT, a stealthy new backdoor using Ethereum smart contracts for C2 after exploiting the critical React2Shell vulnerability (CVE-2025-55182).
It’s been a week of chaos in code and calm in headlines. A bug that broke the internet’s favorite framework, hackers chasing AI tools, fake apps stealing cash, and record-breaking cyberattacks — all within days. If you blink, you’ll miss how fast the threat map is changing. New flaws are being found, published, and exploited in hours instead of weeks. AI-powered tools meant to help developers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an
Two hacking groups with ties to China have been observed weaponizing the newly disclosed security flaw in React Server Components (RSC) within hours of it becoming public knowledge. The vulnerability in question is CVE-2025-55182 (CVSS score: 10.0), aka React2Shell, which allows unauthenticated remote code execution. It has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1. According
### Impact There is an unauthenticated remote code execution vulnerability in React Server Components. We recommend upgrading immediately. The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: * [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack) * [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel) * [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme) ### Patches A fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately. If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler pl...
Red Hat Security Advisory 2024-0837-03 - Red Hat OpenShift Container Platform release 4.14.13 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Security Advisory 2023-7610-03 - Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-7522-01 - Red Hat OpenShift Virtualization release 4.13.6 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6105-01 - An update is now available for Red Hat JBoss Core Services. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5967-01 - An update for collectd-libpod-stats and etcd is now available for Red Hat OpenStack Platform 16.1.9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5930-01 - An update for varnish is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5810-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
Red Hat Security Advisory 2023-5707-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5769-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5709-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 7.0 to SDK 7.0.112 and Runtime 7.0.12. Issues addressed include a denial of service vulnerability.