CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical React Server Components (RSC) Bugs Enable Unauthenticated Remote Code Execution

First reported
Last updated
4 unique sources, 8 articles

Summary

Hide ▲

A critical security vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components (RSC) allows unauthenticated remote code execution due to unsafe deserialization of payloads. The flaw affects multiple versions of React and Next.js, potentially impacting any application using RSC. The issue has been patched, but 39% of cloud environments remain vulnerable. Cloudflare experienced a widespread outage due to an emergency patch for this vulnerability, and multiple China-linked hacking groups have begun exploiting it. NHS England National CSOC has warned of the likelihood of continued exploitation in the wild. Major companies such as Google Cloud, AWS, and Cloudflare immediately responded to the vulnerability. The security researcher Lachlan Davidson disclosed the vulnerability on November 29, 2025, to the Meta team. The flaw has been dubbed React2Shell, a nod to the Log4Shell vulnerability discovered in 2021. The US National Vulnerability Database (NVD) rejected CVE-2025-66478 as a duplicate of CVE-2025-55182. Exploitation success rate is reported to be nearly 100% in default configurations. React servers that use React Server Function endpoints are known to be vulnerable. The Next.js web application is also vulnerable in its default configuration. At the time of writing, it is unknown if active exploitation has occurred, but there have been some reports of observed exploitation activity as of December 5, 2026. OX Security warned that the flaw is now actively exploitable on December 5, around 10am GMT. Hacker maple3142 published a working PoC, and OX Security successfully verified it. JFrog identified fake proof-of-concepts (PoC) on GitHub, warning security teams to verify sources before testing. Cloudflare started investigating issues on December 5 at 08:56 UTC, and a fix was rolled out within half an hour, but by that time outages had been reported by several major internet services, including Zoom, LinkedIn, Coinbase, DoorDash, and Canva. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on December 6, 2025, following confirmed active exploitation. The vulnerability is tracked as React2Shell and is related to a remote code execution flaw in React Server Components (RSC). The flaw is due to insecure deserialization in the Flight protocol used by React to communicate between a server and client. The vulnerability affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Patched versions of React are 19.0.1, 19.1.2, and 19.2.1. Downstream frameworks impacted include Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK. Amazon reported attack attempts from Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of public disclosure. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz reported seeing exploitation efforts targeting the flaw. Some attacks involved the deployment of cryptocurrency miners and the execution of "cheap math" PowerShell commands. Censys identified about 2.15 million instances of internet-facing services potentially affected by the vulnerability. Palo Alto Networks Unit 42 confirmed over 30 affected organizations across numerous sectors, with activity consistent with Chinese hacking group UNC5174. Security researcher Lachlan Davidson released multiple proof-of-concept (PoC) exploits for the vulnerability. Another working PoC was published by a Taiwanese researcher with the GitHub handle maple3142. Federal Civilian Executive Branch (FCEB) agencies have until December 26, 2025, to apply the necessary updates to secure their networks. Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182). Researchers have confirmed that attackers have already compromised over 30 organizations across multiple sectors using the React2Shell flaw. Shadowserver detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States. GreyNoise recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. Attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw. Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory. One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads. The PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network. Amazon AWS threat intelligence teams saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure associated with China-linked APT hacking groups known as Earth Lamia and Jackpot Panda. Palo Alto Networks observed similar exploitation, attributing some of it to UNC5174, a Chinese state-sponsored threat actor believed to be tied to the Chinese Ministry of State Security. The deployed malware in these attacks includes Snowlight and Vshell, both commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network. Earth Lamia is known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle East, and Southeast Asia. Earth Lamia has historically targeted sectors across financial services, logistics, retail, IT companies, universities, and government organizations. Jackpot Panda primarily targets entities in East and Southeast Asia. The Shadowserver Foundation has identified over 77,000 vulnerable IPs following a scan of exposed HTTP services across a wide variety of exposed edge devices and other applications. Censys observed just over 2.15 million instances of internet-facing services that may be affected by this vulnerability, including exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK. The bug is a pre-authentication remote code execution (RCE) vulnerability which exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. React issued a security advisory with the relevant patches and updates on December 3. Any internet-accessible server running the affected React Server Components code should be assumed vulnerable until updated as a precaution. AWS observed that many threat actors are attempting to use public PoCs that don’t work in real-world scenarios. AWS noted that the use of these PoCs shows that threat actors prioritize rapid operationalization over thorough testing, attempting to exploit targets with any available tool. Using multiple PoCs to scan for vulnerable environments also gives threat actors a higher chance of identifying vulnerable configurations, even if the PoCs are non-functional. The availability of the PoCs also allows less sophisticated actors to participate in exploitation campaigns. Finally, AWS noted that even failed exploitation attempts create significant noise in logs, potentially masking more sophisticated attacks. The invalid PoCs can give developers a false sense of security when testing for React2Shell. The Shadowserver Foundation detected 28,964 IP addresses vulnerable to the React2Shell flaw as of December 7, 2025, down from 77,664 on December 5, with approximately 10,100 located in the U.S., 3,200 in Germany, and 1,690 in China.

Timeline

  1. 05.12.2025 15:53 6 articles · 3d ago

    Cloudflare Outage Due to Emergency React2Shell Patch

    Cloudflare experienced a widespread outage caused by an emergency patch for the React2Shell vulnerability. The outage was due to a change in how Cloudflare's Web Application Firewall parses requests. Multiple China-linked hacking groups, including Earth Lamia and Jackpot Panda, have begun exploiting the React2Shell vulnerability. NHS England National CSOC reported that several functional CVE-2025-55182 proof-of-concept exploits are available, and continued successful exploitation in the wild is highly likely. Major companies such as Google Cloud, AWS, and Cloudflare immediately responded to the vulnerability. Cloudflare started investigating issues on December 5 at 08:56 UTC, and a fix was rolled out within half an hour, but by that time outages had been reported by several major internet services, including Zoom, LinkedIn, Coinbase, DoorDash, and Canva. This is the second significant Cloudflare outage in less than a month.

    Show sources
    Open in new tab
  2. 03.12.2025 20:19 7 articles · 5d ago

    Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the critical React2Shell vulnerability (CVE-2025-55182) to its Known Exploited Vulnerabilities (KEV) catalog on December 6, 2025, following confirmed active exploitation. The vulnerability is tracked as React2Shell and is related to a remote code execution flaw in React Server Components (RSC) due to insecure deserialization in the Flight protocol. The flaw affects multiple versions of React and downstream frameworks like Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK. Patched versions of React are 19.0.1, 19.1.2, and 19.2.1. Amazon and other security firms reported attack attempts from Chinese hacking groups like Earth Lamia and Jackpot Panda. Censys identified about 2.15 million instances of internet-facing services potentially affected. Palo Alto Networks Unit 42 confirmed over 30 affected organizations, with activity consistent with Chinese hacking group UNC5174. Security researcher Lachlan Davidson released multiple proof-of-concept (PoC) exploits, and another working PoC was published by a Taiwanese researcher with the GitHub handle maple3142. Federal Civilian Executive Branch (FCEB) agencies have until December 26, 2025, to apply the necessary updates to secure their networks. Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182). Researchers have confirmed that attackers have already compromised over 30 organizations across multiple sectors using the React2Shell flaw. Shadowserver detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States. GreyNoise recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. Attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw. Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory. One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads. The PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network. Amazon AWS threat intelligence teams saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure associated with China-linked APT hacking groups known as Earth Lamia and Jackpot Panda. Palo Alto Networks observed similar exploitation, attributing some of it to UNC5174, a Chinese state-sponsored threat actor believed to be tied to the Chinese Ministry of State Security. The deployed malware in these attacks includes Snowlight and Vshell, both commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network. Earth Lamia is known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle East, and Southeast Asia. Earth Lamia has historically targeted sectors across financial services, logistics, retail, IT companies, universities, and government organizations. Jackpot Panda primarily targets entities in East and Southeast Asia. The Shadowserver Foundation has identified over 77,000 vulnerable IPs following a scan of exposed HTTP services across a wide variety of exposed edge devices and other applications. Censys observed just over 2.15 million instances of internet-facing services that may be affected by this vulnerability, including exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK. The bug is a pre-authentication remote code execution (RCE) vulnerability which exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. React issued a security advisory with the relevant patches and updates on December 3. Any internet-accessible server running the affected React Server Components code should be assumed vulnerable until updated as a precaution. AWS observed that many threat actors are attempting to use public PoCs that don’t work in real-world scenarios. AWS noted that the use of these PoCs shows that threat actors prioritize rapid operationalization over thorough testing, attempting to exploit targets with any available tool. Using multiple PoCs to scan for vulnerable environments also gives threat actors a higher chance of identifying vulnerable configurations, even if the PoCs are non-functional. The availability of the PoCs also allows less sophisticated actors to participate in exploitation campaigns. Finally, AWS noted that even failed exploitation attempts create significant noise in logs, potentially masking more sophisticated attacks. The invalid PoCs can give developers a false sense of security when testing for React2Shell. The Shadowserver Foundation detected 28,964 IP addresses vulnerable to the React2Shell flaw as of December 7, 2025, down from 77,664 on December 5, with approximately 10,100 located in the U.S., 3,200 in Germany, and 1,690 in China.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Chinese Hackers Exploit React2Shell Vulnerability (CVE-2025-55182) in Targeted Campaigns

Two China-linked hacking groups, Earth Lamia and Jackpot Panda, have begun exploiting the newly disclosed React2Shell vulnerability (CVE-2025-55182) in React Server Components, which allows unauthenticated remote code execution. The vulnerability was addressed in React versions 19.0.1, 19.1.2, and 19.2.1. The groups have targeted various sectors, including financial services, logistics, retail, IT, universities, and government organizations across Latin America, the Middle East, and Southeast Asia. The attacks involve running discovery commands, writing files, and reading sensitive information, demonstrating a systematic approach to exploit multiple vulnerabilities simultaneously.

Open in new tab

React2Shell vulnerability exploited by China-linked threat actors

Multiple China-linked threat actors, including Earth Lamia and Jackpot Panda, have begun exploiting the critical React2Shell vulnerability (CVE-2025-55182) in React and Next.js. This insecure deserialization flaw allows unauthenticated remote execution of JavaScript code in the server's context. The vulnerability affects multiple versions of the widely used libraries, potentially exposing thousands of dependent projects. AWS reports active exploitation attempts within hours of the public disclosure, with attackers using a mix of public exploits and manual testing to refine their techniques.

Open in new tab

Cloudflare service disruption causes widespread 500 Internal Server Errors

Cloudflare experienced a service disruption on December 5, 2025, leading to widespread 500 Internal Server Errors across websites relying on its infrastructure. The issue affected users attempting to access various sites, displaying server-side errors instead of the expected content. The disruption highlights the critical role of Cloudflare in maintaining the availability and security of numerous online services.

Open in new tab

Cloudflare's worst outage in 6 years caused by database issues

Cloudflare experienced its worst outage in 6 years on November 19, 2025, caused by a change to database access controls that triggered a cascading failure across its Global Network. The outage lasted for nearly 6 hours, affecting core CDN and security services, Turnstile, Workers KV, dashboard access, email security, and access authentication. The issue was not caused by a cyberattack but by a database permissions change that generated an oversized configuration file, exceeding the system's hardcoded limit and causing widespread service disruptions. Cloudflare's global network, which spans over 120 countries and connects to over 13,000 networks, provides content delivery, security, and performance optimization services. The outage led to widespread 5xx errors and failures in the Cloudflare Dashboard and API. As of November 19, 2025, Cloudflare reported signs of recovery but warned of higher-than-normal error rates during remediation efforts. During the outage, some Cloudflare customers managed to pivot their domains away from Cloudflare, potentially exposing their infrastructure to increased malicious traffic. Security experts suggest that organizations should review their web application firewall (WAF) logs during the outage to identify any malicious activity that may have slipped through. The outage served as an impromptu network penetration test for organizations relying on Cloudflare for security, highlighting potential vulnerabilities in their own defenses.

Open in new tab

React Native CLI Remote Code Execution Vulnerability (CVE-2025-11953)

A critical security flaw in the React Native CLI package, tracked as CVE-2025-11953, allowed remote, unauthenticated attackers to execute arbitrary OS commands on development servers. The vulnerability affected versions 4.8.0 through 20.0.0-alpha.2 of the @react-native-community/cli-server-api package, impacting millions of developers using the React Native framework. The flaw was patched in version 20.0.0. The vulnerability was due to the Metro development server binding to external interfaces by default and exposing an '/open-url' endpoint susceptible to OS command injection. Attackers could exploit this to run arbitrary commands on the affected systems. The flaw underscores the risks associated with third-party code and emphasizes the need for comprehensive security scanning in the software supply chain.

Open in new tab