Federal agencies now only have one more day to patch React2Shell bug

Steven

Federal agencies now only have one more day to patch React2Shell bug

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has moved CVE-2025-55182 — the React2Shell vulnerability affecting React Server Components — onto its Known Exploited Vulnerabilities catalogue and dramatically shortened the patching window for federal agencies. An initial deadline of 26 December was revised so agencies now have until Friday (effectively one day from the update) to apply mitigations and check for signs of compromise on internet-accessible REACT instances.

React Server Components are widely embedded across the web (used in millions of sites and products). Since early December defenders have been scrambling to patch CVE-2025-55182 amid active exploitation by nation-state actors and cybercriminals. Palo Alto Networks’ Unit 42 reports more than 50 organisations hit across the US, Asia, South America and the Middle East, with attackers deploying a range of malware and backdoors. Incident responders are also seeing low-skill, opportunistic abuse — cryptominers, Mirai botnets and tooling linked to ransomware groups.

Key Points

  • CISA added CVE-2025-55182 to its Known Exploited Vulnerabilities list and moved the federal patch deadline up to Friday — agencies must act now.
  • React2Shell targets React Server Components, embedded in tens of millions of websites and many major products.
  • Active exploitation has been observed from China- and North Korea-linked groups as well as multiple cybercriminal gangs.
  • Palo Alto Networks’ Unit 42 says 50+ organisations have been impacted, across finance, higher education, tech, government and media.
  • Observed malware includes cryptominers (XMRIG), Mirai, BPFDoor, NoodlerRat, Supershell and other backdoors linked to nation-state activity.
  • Media organisations are especially exposed because server-rendered frameworks use React Server Components in public entry points.
  • CISA urged agencies to both apply mitigations and check for indicators of compromise on internet-facing instances.

Author style

Punchy: this is urgent. The shortened CISA deadline and confirmed active exploitation make this a high-priority item for anyone running React Server Components or public server-rendered React stacks. Read the detail if you manage web infrastructure — this isn’t one to defer.

Why should I read this?

Short answer: because if your site or product uses React Server Components you could already be exposed. We’ve saved you time — this summary tells you the who, what and how fast so you can check your estate, apply patches or mitigations, and hunt for signs of compromise before more attackers move in.

Source

Source: https://therecord.media/react2shell-vulnerability-cisa-shortens-patch-deadline