Full Report
A debate over actual exploitation is muddying response efforts. Multiple researchers say they’ve observed working proof of concepts while others assert evidence of attacks is lacking. The post Attackers hit React defect as researchers quibble over proof appeared first on CyberScoop.
Analysis Summary
# Vulnerability: React Server Components Critical Deserialization Flaw (React2Shell)
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: Deserialization of Untrusted Data (Inferred, based on RCE via patch info)
## Affected Systems
- Products: React Server Components, and consequently, applications using libraries dependent on them, such as Next.js.
- Versions: Unspecified vulnerable versions prior to the patch release by Meta/React team.
- Configurations: Applications utilizing React Server Components. Wiz reports that 39% of cloud environments contain vulnerable React or Next.js instances.
## Vulnerability Description
A critical deserialization vulnerability exists within React Server Components, dubbed "React2Shell." Successful exploitation allows an unauthenticated attacker to achieve Remote Code Execution (RCE) on the server hosting the component. This flaw exists in the mechanism used for processing React Server Components.
## Exploitation
- Status: **Exploited in the wild**. CISA has added this to its Known Exploited Vulnerabilities (KEV) catalog. Multiple security firms (Unit 42, watchTowr, Wiz) report observed successful exploitation.
- Complexity: Low (Implied by widespread PoC availability and observed rapid exploitation).
- Attack Vector: Network (Remote, unauthenticated).
## Impact
- Confidentiality: High (Ability to steal configuration files, credentials, and establish further access).
- Integrity: High (Ability to deploy webshells and execute arbitrary code).
- Availability: High (Potential for system takeover, resource hijacking via cryptojacking).
## Remediation
### Patches
- Patches were made publicly available by Meta and the React team on Wednesday (prior to the article date).
- **Action**: Organizations must apply the official patch for **CVE-2025-55182**.
- Note: Vercel also issued a patch for a related Next.js vulnerability (CVE-2025-66478), but it was confirmed to be a duplicate of the root cause in CVE-2025-55182.
### Workarounds
- The article does not explicitly list specific workarounds provided by the vendor, but implied mitigation involves disabling or isolating vulnerable React Server Component functionality until patching is complete.
## Detection
- Indicators of Compromise (IOCs) observed/reported:
- Scanning activity targeting RCE.
- Reconnaissance activity.
- Attempted theft of Amazon Web Services (AWS) configuration and credential files.
- Installation of downloaders to fetch external payloads.
- Deployment of webshells for follow-on activities.
- Deployment of cryptojacking malware.
- Detection Methods: Security monitoring and network analysis tools capable of identifying anomalous server behavior consistent with RCE payload execution or credential exfiltration attempts. Prioritize scanning environments running React or Next.js for known vulnerable versions.
## References
- CISA KEV Catalog Entry (for CVE-2025-55182)
- Vendor Advisories/Disclosures (Meta/React Team, Vercel)
- Wiz Blog Post on CVE-2025-55182
- Unit 42 and watchTowr threat intelligence reports confirming exploitation.