React2Shell Vulnerability Exposes Over 77,000 IP Addresses to Attacks

With the recent disclosure of the critical React2Shell remote code execution flaw (CVE-2025-55182), over 77,000 Internet-exposed IP addresses are at risk, leading to compromises in more than 30 organizations across various sectors. React2Shell, an unauthenticated vulnerability affecting frameworks like Next.js, allows attackers to execute arbitrary commands through unsafe deserialization of client-controlled data within React Server Components.

To address this issue, developers are urged to update React to the latest version, rebuild their applications, and redeploy them to eliminate the vulnerability. Security researcher Maple3142 demonstrated a working proof-of-concept on December 4, prompting an increase in scanning activities as attackers and researchers utilize automated tools to exploit the flaw.

Geographic Distribution of Vulnerable IP Addresses

Shadowserver reports that 77,664 IP addresses, including 23,700 in the United States, are vulnerable to the React2Shell flaw. Detection methods developed by Searchlight Cyber/Assetnote and GreyNoise have identified vulnerable devices through HTTP requests and automated scans originating from various countries.

Palo Alto Networks has confirmed that more than 30 organizations have already fallen victim to attacks exploiting the React2Shell vulnerability. These compromises, some linked to Chinese threat actors, involve running commands, reconnaissance activities, and attempts to steal AWS configuration files.

Widespread Exploitation of React2Shell

Following the disclosure of CVE-2025-55182, researchers have observed widespread exploitation of the vulnerability. Attackers often initiate their activities with PowerShell commands to confirm the vulnerability before executing base64-encoded scripts for further exploitation.

Various threat intelligence companies, including Amazon AWS, have detected rapid exploitation of the flaw, with threat actors deploying malware like Cobalt Strike beacons and conducting reconnaissance on vulnerable servers. Some of these activities have been attributed to Chinese state-sponsored threat actors.

The rush to patch the React flaw has seen companies globally implementing updates and mitigations. Cloudflare, for instance, released emergency detections and mitigations in its Web Application Firewall, albeit causing temporary outages on some websites. CISA has added CVE-2025-55182 to the Known Exploited Vulnerabilities catalog, mandating federal agencies to apply patches promptly.

Organizations using React Server Components are advised to update their systems immediately, rebuild applications, and monitor for any signs of suspicious activity or command execution.