- A critical remote code execution vulnerability, CVE-2025-55182, impacts React Server Components, allowing unauthenticated attackers to execute arbitrary commands.
- The flaw, known as React2Shell, is due to insecure deserialization in React’s Flight protocol used for server-client communication.
- Multiple software libraries and frameworks including Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK are affected.
- Attackers, linked to Chinese Hacking groups, have been observed exploiting this vulnerability to deploy cryptocurrency miners and other payloads.
- Over 2 million internet-facing services may be vulnerable, prompting urgent updates by users and Federal agencies by December 26, 2025.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a severe remote code execution vulnerability, CVE-2025-55182, to its Known Exploited Vulnerabilities catalog on December 5, 2025. This flaw affects React Server Components (RSC) and permits unauthenticated attackers to execute arbitrary commands by exploiting a payload decoding weakness in React Server Function endpoints. The vulnerability carries a maximum CVSS score of 10.0 and is also referred to as React2Shell.
The root cause is insecure deserialization in the Flight protocol, the mechanism React employs for communication between servers and clients. An attacker can trigger this vulnerability by sending specially crafted HTTP requests without authentication. This issue is present in versions of the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack libraries prior to versions 19.0.1, 19.1.2, and 19.2.1 respectively. Several dependent frameworks, including Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK, are also affected.
Reports from Amazon indicate that attacks originating from infrastructure associated with Chinese hacking groups such as Earth Lamia and Jackpot Panda began within hours after the vulnerability was publicly disclosed. Multiple cybersecurity organizations, including Coalition, Fastly, GreyNoise, VulnCheck, and Wiz, have detected active exploitation attempts. The attacks often involve deploying cryptocurrency miners and executing PowerShell commands to confirm successful exploitation, followed by downloading additional malicious payloads.
Data from attack surface management platform Censys identifies about 2.15 million internet-facing services potentially vulnerable. These include exposed web services running React Server Components and associated vulnerable frameworks. The cybersecurity team from Palo Alto Networks Unit 42 confirmed that over 30 organizations across various industries have been targeted. One attacker group matched their profile of the Chinese-linked UNC5174, using tools like SNOWLIGHT and VShell during operations.
Security researcher Lachlan Davidson, credited with discovering the vulnerability, has shared multiple proof-of-concept exploits publicly. Another verified proof-of-concept was published by the researcher maple3142 on GitHub. Federal Civilian Executive Branch agencies are required to apply patches before December 26, 2025, under Binding Operational Directive 22-01 to mitigate risks associated with this vulnerability.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Clear Street Prepares $10B-$12B Crypto IPO Led by Goldman Sachs
- BRICS Expands Gold Pact to 33 Nations, Boosts Dollar-Free Trade
- Bitcoin Treasury Firms Face “Darwinian Phase” Amid Market Downturn
- Shiba Inu Whale Withdraws 169B SHIB from Coinbase Sparking Speculation
- Crypto Firms Raise $16M for Hong Kong Tai Po Fire Relief Efforts
