The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw affecting React Server Components (RSC) to its Known Exploitable Vulnerabilities (KEV) catalog following reports of an active exploit in the wild.
vulnerability, CVE-2025-55182 (CVSS Score: 10.0), relates to a case of remote code execution that can be triggered by an unauthenticated attacker without requiring any special setup. It is also tracked as React2Shell.
“Meta React Server components contain a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in the way payloads sent to React Server function endpoints are decoded,” CISA said in an advisory.
The problem stems from insecure deserialization in the library’s flight protocol, which React uses to communicate between the server and the client. As a result, this leads to a scenario where an unauthenticated, remote attacker can execute arbitrary commands on the server by sending specially crafted HTTP requests.
“The process of converting text to objects is widely considered one of the most dangerous classes of software vulnerabilities,” said Martin Zugek, Bitdefender’s director of technical solutions. “The React2Shell vulnerability resides in the react-server package, specifically how it parses object references during deserialization.”
The vulnerability is addressed in versions 19.0.1, 19.1.2, and 19.2.1 of the following libraries −
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Some downstream frameworks that rely on React are also affected. These include: Next.js, React Router, Vaku, Parcel, Vite, and RedwoodSDK.
The development comes after Amazon reported that it observed attack attempts from infrastructure linked to Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of the public disclosure of the flaw. The alliance, Fastly, Grenois, Vulancheck, and Vis have also reported seeing exploit attempts targeting the flaw, indicating that many threat actors are engaging in opportunistic attacks.
|
| Image Source: Grenoise |
Some attacks involve the deployment of cryptocurrency miners as well as the execution of “cheap math” Powershell commands to detect successful exploits, followed by running commands to drop in-memory downloaders capable of receiving additional payloads from remote servers.
According to data shared by attack surface management platform Sensis, there are approximately 2.15 million instances of Internet-facing services that may be affected by this vulnerability. This includes exposed web services using React Server components and exposed examples of frameworks like Next.js, Vaaku, React Router, and RedwoodSDK.
In a statement shared with The Hacker News, Palo Alto Networks Unit 42 said it has confirmed more than 30 affected organizations across multiple sectors, including a set of activity consistent with a Chinese hacking crew tracked as UNC5174 (aka CL-STA-1015). The attacks are characterized by the deployment of Snowlight and Weasel.
“We have seen scanning for vulnerable RCEs, reconnaissance activity, attempted theft of AWS configuration and credential files, as well as installation of downloaders to recover payloads from attacker command and control infrastructure,” said Justin Moore, senior manager of Threat Intel Research at Palo Alto Networks Unit 42.
Security researcher Lachlan Davidson, who is credited with discovering and reporting the flaw, has since released several proof-of-concept (POC) exploits, making it imperative that users update their instances to the latest version as soon as possible. Another working PoC has been published by a Taiwanese researcher using the GitHub handle maple3142.
According to Binding Operational Directive (BOD) 22-01, federal civilian executive branch (FCEB) agencies have until December 26, 2025, to implement the necessary updates to secure their networks.
