The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday officially added a critical security flaw affecting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of it being exploited in the wild.
vulnerability, CVE-2025-55182 (CVSS score: 10.0) is associated with remote code execution by an unauthenticated attacker with no special configuration required. Also tracked as React2Shell.
“A remote code execution vulnerability exists in Meta React Server Components that could allow unauthenticated remote code execution by exploiting a flaw in the way React decodes payloads sent to React Server Function endpoints,” CISA said in the advisory.
This issue is caused by unsafe deserialization in the Flight protocol, a library that React uses to communicate between servers and clients. This could result in a scenario where an unauthenticated, remote attacker could execute arbitrary commands on the server by sending a specially crafted HTTP request.
“The process of converting text into objects is widely considered to be one of the most dangerous software vulnerabilities,” said Martin Zugec, Director of Technical Solutions at Bitdefender. “The React2Shell vulnerability exists in the react-server package, specifically in the way it parses object references during deserialization.”
This vulnerability is addressed in versions 19.0.1, 19.1.2, and 19.2.1 of the following libraries:
- react-server-dom-webpack
- react server dumb parcel
- react server dumb turbo pack
Some downstream frameworks that rely on React are also affected. This includes Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK.
The development comes after Amazon reported that within hours of the flaw’s disclosure, it had observed attack attempts from infrastructure associated with Chinese hacker groups such as Earth Lamia and Jackpot Panda. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz also reported seeing exploits targeting this flaw, indicating opportunistic attacks by multiple attackers.
 |
| Image source: GreyNoise |
Some of the attacks include deploying a cryptocurrency miner and running a “cheap math” PowerShell command to confirm a successful exploit, followed by a command that drops an in-memory downloader that can retrieve additional payloads from a remote server.
According to data shared by attack surface management platform Censys, there are approximately 2.15 million instances of internet-facing services that could be affected by this vulnerability. It consists of public web services using React Server Components and public instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK.
In a statement shared with The Hacker News, Palo Alto Networks Unit 42 said it has confirmed that more than 30 organizations across a variety of sectors have been affected, and that the chain of activity is consistent with a Chinese hacking group tracked as UNC5174 (also known as CL-STA-1015). This attack features the introduction of SNOWLIGHT and VShell.
“We observed scanning for vulnerable RCEs, reconnaissance operations, attempted theft of AWS configuration and credential files, and installation of downloaders that retrieve payloads from the attacker’s command and control infrastructure,” said Justin Moore, senior manager of threat intelligence research at Palo Alto Networks Unit 42.
Security researcher Lachlan Davidson, who is credited with discovering and reporting the flaw, has since released multiple proof-of-concept (PoC) exploits, making it imperative for users to update their instances to the latest version as soon as possible. Another working PoC was published by a Taiwanese researcher who goes by the GitHub handle maple3142.
According to Binding Operating Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must apply the necessary updates to secure their networks by December 26, 2025.
