A maximum-severity flaw in the widely used JavaScript library React, as well as several React-based frameworks, including Next.js, allows unauthenticated remote attackers to execute malicious code on vulnerable instances. The vulnerability, tracked as CVE-2025-55182, also known as React2Shell, has been assigned a maximum CVSS severity rating of 10.0, with an estimated 39% of cloud environments affected.
Within hours of disclosure, multiple threat actors, including state-sponsored groups, were observed exploiting the flaw, with researchers confirming that over 30 organizations across multiple sectors have already been compromised.
What’s Notable and Unique
- This vulnerability originates from insecure deserialization, where attacker-controlled inputs are processed without adequate validation. Since the flaw is unauthenticated, exploitation becomes significantly easier for threat actors. During deserialization, object properties are implicitly expanded, enabling prototype pollution that can alter application behavior and, when aligned with specific React Server Components execution paths, escalate to remote code execution (RCE).
- Active exploitation of the React2Shell (CVE-2025-55182) vulnerability has already been observed from China state-nexus groups Earth Lamia and Jackpot Panda, as well as suspected North Korean actors who are attacking unpatched React Server Components using automated scans and PoC exploits.
- Subsequent activity includes EtherRAT and EtherHiding-based payload delivery linked to Democratic People’s Republic of Korea (DPRK) actor UNC5342, BPFDoor attributed to Red Menshen, the newly identified Auto-color PAM backdoor, and Cobalt Strike, demonstrating the broad use of React2Shell as an initial access vector.
- The issue affects versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of the react-server-dom-parcel, react-server-dom-webpack, and react-server-dom-turbopack packages, which are embedded in frameworks such as Next.js (≥14.3.0-canary.77, ≥15, ≥16) and other tools including Vite, Parcel, React Router, RedwoodSDK, and Waku.
Analyst Comments
Organizations should prioritize immediate patching to address the React2Shell (CVE-2025-55182) vulnerability and ensure all internet-facing applications are updated to the vendor-recommended versions. In the interim, it is advisable to restrict access to Server Function/Flight endpoints and monitor for any unusual Node.js activity or anomalous React Server Components request patterns due to confirmed exploitation attempts.
At Arete, we are actively monitoring all endpoints for suspicious activity related to this vulnerability and will take prompt action to contain and mitigate any threats. Our security monitoring and response capabilities are fully maintained to ensure timely detection and protection against emerging risks.
Sources
- Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
Clock Icon 16 min read - China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
- ‘Exploitation is imminent’ as 39 percent of cloud environs have max-severity React hole
- Responding to CVE-2025-55182: Secure your React and Next.js workloads
- Protect against React RSC CVE-2025-55182 with Azure Web Application Firewall (WAF)
Related Resources
![]()
Ransomware Trends & Data Insights: November 2025
Get the latest Ransomware Trends Data Insights November 2025. November saw the dominance of Akira and Qilin, the rise of 18 unique groups, and AI-augmented attacks.
Read more![]()
Operation Endgame: Season 3
Operation Endgame Season 3 takedown disrupts Rhadamanthys, VenomRAT, and Elysium, seizing servers, domains, and millions of stolen credentials.
Read more![]()
Google Exposes AI-Powered Malware
Google has reported the first observed cases of AI-augmented malware used in real-world attacks, marking a new stage in adversarial AI.
Read more
