CISA Lists Critical React2Shell Flaw Amid Active Exploitation Reports
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a serious vulnerability, known as React2Shell, to its Known Exploited Vulnerabilities (KEV) catalog. This decision follows reports of ongoing exploitation of the flaw, identified by CVE-2025-55182, with a critical CVSS score of 10.0. This vulnerability affects React Server Components and poses a risk of remote code execution.
Details of the React2Shell Vulnerability
A remote code execution can occur when an unauthenticated attacker exploits how React decodes payloads sent to React Server Function endpoints. According to CISA, the issue arises from insecure deserialization involving the library’s Flight protocol, which enables communication between clients and servers.
Martin Zugec, a technical solutions director at Bitdefender, emphasized the gravity of the flaw. He noted that the vulnerability is primarily located in the react-server package and revolves around improper parsing of object references during deserialization.
Affected Versions and Frameworks
The vulnerability has been addressed in the following versions:
- 19.0.1
- 19.1.2
- 19.2.1
Additionally, several downstream frameworks reliant on React, including Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK, are also affected.
Reports of Active Exploitation
Following the public disclosure of this vulnerability, Amazon noted attack attempts traceable to Chinese hacking groups such as Earth Lamia and Jackpot Panda. Multiple entities, including GreyNoise and Wiz, reported exploitation attempts indicating that various threat actors are conducting opportunistic attacks.
Some attacks involved deploying cryptocurrency miners and executing PowerShell commands to test for successful exploitation. Attackers have been observed installing downloaders to retrieve further payloads from remote servers.
Scope of the Impact
Research from the attack surface management platform Censys indicates approximately 2.15 million internet-facing services could be vulnerable. This number includes exposed web services utilizing React Server Components and affected frameworks.
Palo Alto Networks Unit 42 confirmed over 30 organizations across diverse sectors are affected. Their analysis linked certain attack activities to a Chinese hacking group known as UNC5174, responsible for deploying tools like SNOWLIGHT and VShell.
Urgent Need for Action
Security researcher Lachlan Davidson, who discovered the flaw, has released multiple proof-of-concept (PoC) exploits. Another PoC was published by a Taiwanese researcher identified as maple3142. Thus, swift updates to the latest versions of the affected libraries are essential.
The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies must implement necessary updates to secure their networks by December 26, 2025.
