AI Autopsy: React2Shell Scores a Perfect 10

Security teams are scrambling to find and fix a critical open source flaw. Kate O’Flaherty asks the experts where they should start

Every now and then, a vulnerability surfaces that resonates for many months afterwards, usually because it’s extremely simple to exploit and fiendishly difficult to patch. React2Shell, a flaw in the React Server Components (RSC) Flight protocol, is a prime example.

Handed a CVSS score of 10, React2Shell was patched in early December, but within hours, it emerged that multiple China-linked adversaries were exploiting the vulnerability in live attacks. Since then, it has also been picked up by other nation-state groups.

What is React2Shell?

Officially tracked as CVE-2025-55182, React2Shell allows threat actors to compromise servers with a single malicious request in React and Next.js applications. It was reported by security researcher Lachlan Davidson after he discovered that an attacker could achieve remote code execution (RCE) by sending a specially crafted HTTP request to React Server Function endpoints.

This matters because of the popularity of React and Next.js. React is an open-source JavaScript library maintained by Meta that enables developers to build user interfaces more seamlessly. Next.js is a React framework maintained by Vercel that includes features such as server-side rendering, routing, and API endpoints. Both are widely used in cloud environments across front-end applications and help scale and deploy architectures more quickly and easily.

Censys said on December 5 that it had observed more than two million instances of React, Waku, React Router, Next.js, and RedwoodSDK that could be vulnerable. Around 39% of cloud environments contain vulnerable React or Next.js instances, according to researchers at Wiz.io.

Silent but deadly

React2Shell stems from unsafe deserialisation in React’s server-side protocol. “When this process is manipulated, an attacker can run arbitrary code using a carefully crafted payload,” Recorded Future field CISO Richard LaTulip tells Assured Intelligence.

“Hundreds of attackers have been attempting to scan and exploit applications” Christophe Tafani-Dereeper

This allows attackers to install malware, steal data, or use the compromised system as “a stepping stone for larger attacks”, he says. Because the exploit doesn’t require authentication and targets customer-facing parts of popular frameworks such as Next.js, vulnerable systems can be “silently compromised”, LaTulip warns.

Given how easy exploitation is – via a single HTTP request – and how widespread React and Next.js are, attackers can run “large-scale automated scanning and exploitation across the internet”, Toro Solutions director of cybersecurity, Katie Barnett, tells Assured Intelligence. “This could lead to thousands or even millions of compromised servers being used for cryptominers, botnets or distributed denial of service (DDoS),” she suggests.

Because many frameworks and bundlers embed the vulnerable React server implementation, even organisations that don’t directly depend on React server-side code may still be exposed, Barnett warns.

Adversaries quick to react

Threat actors wasted no time exploiting the flaw. Since its disclosure, React2Shell has rapidly shifted from “a mere technical warning” to “a genuine threat”, says Recorded Future’s LaTulip. “Attackers started probing and exploiting vulnerable systems almost immediately.”

Proof of concept (PoC) exploits were posted within hours, providing potential attackers with a “clear blueprint to follow”, he explains.

Microsoft claimed that several hundred organisations had been compromised by December 15. Researchers at Google discovered campaigns by China and Iran leveraging the vulnerability to deploy a Minocat tunneler, Snowlight downloader, Hisonic backdoor, and Compood backdoor, as well as XMRIG cryptocurrency miners. This is similar to findings by researchers at security outfit Huntress.

Christophe Tafani-Dereeper, staff cloud security researcher and advocate at Datadog, claims that “hundreds of attackers have been attempting to scan and exploit applications” since December 3. “We’ve seen everything from cryptominers to backdoors and information stealers,” he tells Assured Intelligence.

Datadog has published indicators of compromise to help defenders identify and respond to exploitation attempts, he says. “So far, we’ve seen over 200 IP addresses attempting to actively exploit vulnerable applications with malicious code.”

Can’t patch, won’t patch

When a vulnerability this serious rears its head, patching is, of course, a priority. Firms in scope “must take immediate action to address this vulnerability”, Featurespace head of application security Sean Wright tells Assured Intelligence.

“An outage, while undesirable, is preferable to a breach” Sean Wright

In the first instance, he advises identifying if the organisation is using a vulnerable version of the library. If so, it should update to a secure version (19.0.1, 19.1.2, or 19.2.1). “If updating is not feasible, organisations should implement mitigation controls such as removing internet access from the affected service and applying web application firewall (WAF) rules to block payloads that exploit the vulnerability,” says Wright.

However, according to the official React advisory, it’s important to understand which update is required and any potential mitigation steps that can be applied. Recorded Future’s LaTulip explains that “compensating controls” such as strict WAF rules, network segmentation and blocking exposed RSC endpoints can help lower exposure and “provide some confidence in the short term”. However, none of these controls eliminates the core vulnerability.

Unforeseen issues

Some firms may be reluctant to apply a patch, as fixes can introduce additional issues. A major Cloudflare outage in December was caused by the rollout of WAF protections it had implemented to detect and mitigate React2Shell, for example.

Implementing updates can lead to unforeseen issues and potentially even outages, says Featurespace’s Wright. With this in mind, organisations should deploy and test updates in test environments before implementing them in production. “An outage, while undesirable, is preferable to a breach – especially given the high visibility of vulnerabilities like React2Shell,” he says.

At the same time, for most businesses – and especially those relying on public-facing web applications – delaying system patching isn’t realistic. “The combination of active exploitation, available PoCs and the critical importance of these systems means patching is an operational necessity,” Recorded Future’s LaTulip says.

Find it, fix it

React2Shell’s similarity to the 2021 vulnerability Log4Shell is not just in name. In both cases, effective patching is challenged by the fact that the flaw may be hard to find across open-source dependencies.

“This could lead to thousands or millions of compromised servers being used for cryptominers, botnets or DDoS”

“The challenge with React2Shell is similar to what we saw with Log4Shell: the vulnerable code can exist several layers deep in open source dependencies, and many teams may not even realise they are running the affected components,” Recorded Future’s LaTulip explains. Organisations should inventory their dependency trees, update any affected React Server Components packages and then rebuild and redeploy their applications, he says.

“Automated software composition analysis tools can help identify hidden instances,” LaTulip continues. “Although it can be a heavy lift for some environments, in a situation where active exploitation is already occurring, relying on vendor guidance and patching quickly is the safest strategy.”

CISOs to the rescue

CISOs should proactively support their teams in applying the necessary patches or mitigations, says Featurespace’s Wright.

“Given the significant attention and excitement surrounding this vulnerability within the information security community, many researchers are eager to obtain and analyse potential exploit PoCs and other tools,” he adds. “However, it is crucial to exercise caution, as some of these may themselves be malicious.”

With adversaries exploiting software flaws at increasing velocity, it’s also a good idea to prepare for incidents before they materialise. “Follow the latest security research from industry players, and implement an internal process to handle emerging vulnerabilities impacting your environments,” Datadog’s Tafani-Dereeper advises.

CISOs can also shore up defences against React2Shell by tightening WAF rules, limiting public access to vulnerable endpoints, and confirming that their monitoring tools can detect exploitation attempts, says Recorded Future’s LaTulip. “Parallel to patching, validate configurations, review access paths and ensure you have strong rollback procedures in case the fix impacts production.”

The goal is simple, he concludes: “Reduce exposure, speed up detection and avoid being surprised while your teams work through the patching process.”