Security researchers are sounding the alarm as attacks exploiting the recently disclosed React2Shell vulnerability (CVE-2025-55182) continue to escalate worldwide. Experts warn that thousands of React Server Component instances remain unpatched, leaving organizations across multiple sectors at risk.
The Cybersecurity and Infrastructure Security Agency (CISA) recently shortened the patching deadline to Friday, citing the critical nature of the vulnerability. Initially, agencies were given until December 26 to remediate affected systems.
Palo Alto Networks’ Unit 42 reports that over 50 organizations have already been confirmed as victims, with attacks observed in the United States, Asia, South America, and the Middle East. Researchers emphasize that exploitation is not limited to low-skill attackers; nation-state actors, cybercriminals, and botnets are actively targeting the vulnerability for purposes including cryptocurrency theft, ransomware deployment, and cryptojacking.
Shadowserver scans have revealed more than 165,000 IP addresses and 644,000 domains hosting vulnerable React Server Component code, with nearly two-thirds located in the United States. Security experts describe the exploit as a “one click — game over” vulnerability, noting its ease of weaponization and the broad reach of attackers.
Alon Schindel, Vice President of AI and Threat Research at Wiz, highlighted that half of publicly exposed vulnerable instances remain unpatched, with in-the-wild exploitation accelerating rapidly. Rapid7’s Christiaan Beek called the situation a “patch-now emergency,” warning that attacks range from opportunistic botnet campaigns to sophisticated nation-state operations.
Unit 42 has also linked some exploitation activity to the North Korea-linked threat group Contagious Interview, which has targeted devices of job seekers in the tech sector. Additionally, Amazon and Unit 42 have observed China-backed threat groups Earth Lamia and Jackpot Panda attempting attacks within hours of the vulnerability’s disclosure.
The React2Shell flaw impacts multiple React frameworks and bundlers, including Next.js, React Router, Waku, Parcel RSC plugin, Vite RSC plugin, and RedwoodJS. Proof-of-concept exploits are proliferating, with nearly 100 variants publicly available, most targeting Next.js. Automated botnets and more advanced actors are leveraging the flaw, with GreyNoise reporting over 360 unique IPs attempting exploitation.
Malware observed in these attacks is diverse, including Snowlight, Vshell, NoodlerRat, XMRIG, BPFDoor, Autocolor, Mirai, and Supershell, reflecting multiple attacker objectives. Experts note similarities to Log4Shell, the high-profile Apache Log4j vulnerability from 2021, though React2Shell may be easier to exploit and harder to detect once attackers gain control.
Kelly Shortridge, Chief Product Officer at Fastly, emphasized the stealth of these attacks: “Once attackers are in, they can blend into normal traffic and operate undetected, potentially compromising sensitive data and critical applications without immediate awareness.”
Security researchers urge organizations using React Server Components and related frameworks to apply patches immediately, monitor for unusual network activity, and review public advisories from vendors and cybersecurity agencies.
