Exploitation Activity Ramps Up Against React2Shell

Steven

Exploitation Activity Ramps Up Against React2Shell

Summary

React2Shell (CVE-2025-55182) is a critical remote‑code‑execution deserialization flaw in React Server Components that was publicly disclosed in early December 2025. Exploitation began within hours of disclosure and has quickly grown from opportunistic reconnaissance to active hands‑on‑keyboard attacks targeting internet‑facing Next.js apps, containerised workloads and cloud‑native environments.

Security firms including Wiz, VulnCheck and Censys have reported widespread exploit attempts — ranging from cryptomining and credential theft to persistent backdoors — and noted that default server‑side rendering in vulnerable Next.js versions makes many instances exposed by default. Web application firewall (WAF) rules have been rolled out by providers, but proof‑of‑concepts showing WAF bypasses mean patching remains the safest mitigation.

Key Points

  • CVE-2025-55182 (React2Shell) is a maximum severity (CVSS 10) deserialization RCE affecting React Server Components.
  • Exploitation began within hours of disclosure; activity has ramped to broad opportunistic attacks including cryptomining, credential theft and backdoors.
  • Next.js applications (which use server‑side rendering by default) are highly at risk; many internet‑facing instances were identified in scans.
  • Initial secondary CVE coverage for Next.js was later marked a duplicate, but the practical risk to Next.js remains high.
  • WAFs (Cloudflare, AWS, others) have deployed rules to block attempts, but PoCs report WAF‑bypass techniques — patching is recommended.
  • Researchers warn other frameworks using the RSC protocol (eg. Waku, Vite with RSC plugins) may be exploitable with minor PoC adjustments.

Context and Relevance

This vulnerability is significant because it impacts a modern server‑side rendering flow used by many web apps, and exploitation is both rapid and automated. The combination of a maximum severity rating, default reachability in Next.js, and observed in‑the‑wild attacks means organisations running RSC‑based stacks should treat internet‑accessible servers as vulnerable until patched.

For defenders, the story highlights two ongoing trends: (1) fast exploitation windows where attackers weaponise new disclosures in hours, and (2) the limits of perimeter protections — WAFs help but do not replace timely patching and secure configuration.

Why should I read this?

Short answer: because it’s happening now and it can let attackers run code on your servers. If you run Next.js or any RSC‑based server, you need to know what to patch and why. We skimmed the noise and pulled the bits that tell you how urgent this is — patch, check exposed endpoints, and don’t rely solely on WAF rules.

Source

Source: https://www.darkreading.com/vulnerabilities-threats/exploitation-activity-ramps-react2shell