React2Shell (CVE-2025-55182): New React Server Components Flaw Under Active Attack
Executive Summary
In December 2025, attackers rapidly weaponized a critical deserialization vulnerability (CVE-2025-55182, "React2Shell") in React Server Components (RSC), enabling remote code execution on web servers running unpatched React libraries. Threat actors exploited the flaw—scoring a CVSS 10.0—by sending serialized payloads in POST requests, executing arbitrary commands, deploying malware, and exfiltrating credentials. Infections observed include crypto-miners, Mirai/Gafgyt bots, and the advanced RondoDox botnet targeting both Linux servers and IoT devices. Exploit activity began within hours of disclosure, with a sharp increase in attempts against internet-facing systems.
This incident highlights the increasing speed at which proof-of-concept exploits are operationalized in the wild, emphasizing risks of deserialization vulnerabilities and dependency hygiene in modern web application stacks. Supply chain and cloud-centric attacks leveraging similar TTPs are expected to become more common, placing organizations with weak patch cycles at heightened risk.
Why This Matters Now
CVE-2025-55182 demonstrates how quickly threat actors can weaponize newly discovered vulnerabilities, especially in widely used frameworks like React. With public exploits and automated malware campaigns already active, organizations running unpatched RSC environments face immediate risk. Prompt patching and improved detection for rapid, server-side compromise are urgently needed.
Attack Path Analysis
Attackers exploited the CVE-2025-55182 (React2Shell) deserialization flaw via malicious POST requests to gain initial server access. Once inside, they executed probing commands to confirm exploitation and deployed scripts to download further payloads. Some scripts disabled local protections and enabled the spread or deployment of additional malware across local network segments. The threat actors established command and control by downloading malware from external URLs, permitting remote tasking and miner configuration. In more advanced cases, adversaries attempted to exfiltrate cloud and git credentials from compromised environments. The final impact included crypto mining, botnet recruitment, credential theft, and potential disruption of cloud infrastructure and supply chain risk.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited the CVE-2025-55182 deserialization vulnerability via crafted POST requests, leading to remote code execution on React Server Components.
Related CVEs
CVE-2025-55182
CVSS 10A pre-authentication remote code execution vulnerability in React Server Components allows attackers to execute arbitrary code via unsafe deserialization of HTTP request payloads.
Affected Products:
Meta Platforms, Inc. React Server Components – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
User Execution: Malicious File
Ingress Tool Transfer
System Services: Service Execution
Impair Defenses: Disable or Modify Tools
OS Credential Dumping
Resource Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Software Development Processes
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management – Preventive Measures
Control ID: Article 6(9)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Monitoring of Applications
Control ID: Applications: Visibility and Analytics
NIS2 Directive – Incident Handling and Vulnerability Disclosure
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical exposure to CVE-2025-55182 React Server Components vulnerability enabling remote code execution, credential theft, and malware deployment across web applications.
Information Technology/IT
High risk from React2Shell exploits targeting server infrastructure with crypto miners, botnets, and credential harvesting affecting cloud environments and systems.
Financial Services
Severe threat from deserialization attacks compromising React-based applications, enabling data exfiltration and regulatory compliance violations under PCI/NIST frameworks.
Health Care / Life Sciences
Critical vulnerability in React Server Components threatens patient data security through remote code execution, violating HIPAA requirements and enabling lateral movement.
Sources
- It didn’t take long: CVE-2025-55182 is now under active exploitationhttps://securelist.com/cve-2025-55182-exploitation/118331/Verified
- Critical Security Vulnerability in React Server Componentshttps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-componentsVerified
- Meta React Server Components Remote Code Execution Vulnerabilityhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182Verified
- CVE-2025-55182 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-55182Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF and Zero Trust controls such as inline segmentation, egress policy enforcement, threat detection, and east-west traffic controls would have contained attack spread, blocked malicious outbound actions, and empowered early detection, limiting adversary freedom at every stage.
Control: Cloud Firewall (ACF)
Mitigation: Prevents malicious inbound requests exploiting known signatures or patterns.
Control: Threat Detection & Anomaly Response
Mitigation: Raises alerts on abnormal process behaviors and privilege escalation attempts.
Control: Zero Trust Segmentation
Mitigation: Restricts unauthorized workload-to-workload communication and internal malware propagation.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized outbound C2 connections to malicious domains or unknown destinations.
Control: Multicloud Visibility & Control
Mitigation: Identifies and logs unusual outbound transfers and sensitive data access.
Mitigates business disruption through distributed inline controls and automated isolation.
Impact at a Glance
Affected Business Functions
- Web Application Services
- Customer Data Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive customer data due to unauthorized access and code execution on affected servers.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately patch all React Server Components and assess exposure in your application portfolios.
- • Deploy Zero Trust segmentation to enforce least-privilege workload and namespace boundaries across cloud and hybrid workloads.
- • Enable egress filtering and cloud firewall controls to prevent malicious outbound connections and data exfiltration.
- • Integrate advanced threat detection and anomaly response to identify and respond to suspicious behaviors rapidly.
- • Conduct regular credential hygiene, monitoring, and multicloud visibility to uncover and remediate attacker footholds.
