Ethical Hacking News
A critical security flaw has been discovered in the React Server Components (RSC), which has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This vulnerability, tracked as CVE-2025-55182, is a remote code execution vulnerability that can be triggered by an unauthenticated attacker without requiring any special setup. To address this vulnerability, it is imperative to update software to the latest version and implement robust security measures to prevent exploitation.
React Server Components (RSC) has a critical security flaw tracked as CVE-2025-55182. The React2Shell flaw is a remote code execution vulnerability that can be triggered by an unauthenticated attacker. Around 30 affected organizations have been identified, with one set of activity consistent with a Chinese hacking crew. Multiple threat actors are engaging in opportunistic attacks targeting the flaw. About 2.15 million internet-facing services may be affected by this vulnerability.
The cybersecurity landscape has recently witnessed a critical security flaw in the React Server Components (RSC), which has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This development comes on the heels of confirmed active exploitation of this vulnerability, marking it as one of the most critical security flaws in recent times.
The React2Shell flaw, tracked as CVE-2025-55182, is a remote code execution vulnerability that can be triggered by an unauthenticated attacker without requiring any special setup. This vulnerability stems from insecure deserialization in the library's Flight protocol, which React uses to communicate between a server and client. As a result, it leads to a scenario where an unauthenticated, remote attacker can execute arbitrary commands on the server by sending specially crafted HTTP requests.
In a statement shared with The Hacker News, Palo Alto Networks Unit 42 said they have confirmed over 30 affected organizations across numerous sectors, with one set of activity consistent with a Chinese hacking crew tracked as UNC5174 (aka CL-STA-1015). The attacks are characterized by the deployment of SNOWLIGHT and VShell.
Security researcher Lachlan Davidson, who is credited with discovering and reporting the flaw, has since released multiple proof-of-concept (PoC) exploits, making it imperative that users update their instances to the latest version as soon as possible. Another working PoC has been published by a Taiwanese researcher who goes by the GitHub handle maple3142.
The development of this vulnerability highlights the importance of keeping software up-to-date and the need for organizations to prioritize patch management. The vulnerability has been addressed in versions 19.0.1, 19.1.2, and 19.2.1 of the following libraries - react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
Some of the downstream frameworks that depend on React are also impacted. This includes: Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK.
In a world where cyber threats are becoming increasingly sophisticated and frequent, it is imperative for organizations to stay vigilant and proactive in addressing these vulnerabilities. The discovery of this critical security flaw serves as a stark reminder that even the most seemingly secure systems can be breached if not properly maintained.
According to data shared by attack surface management platform Censys, there are about 2.15 million instances of internet-facing services that may be affected by this vulnerability. This comprises exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK.
As organizations continue to navigate the complex cybersecurity landscape, it is essential to prioritize awareness and education. By staying informed about emerging threats and vulnerabilities, individuals can better equip themselves to protect their organizations from potential cyber attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has provided guidance on how to address this vulnerability, emphasizing the importance of updating software to the latest version and implementing robust security measures to prevent exploitation.
In a bid to mitigate the impact of this vulnerability, some companies have reported seeing exploitation efforts targeting the flaw. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz have also reported seeing exploitation efforts targeting the flaw, indicating that multiple threat actors are engaging in opportunistic attacks.
The development of this critical security flaw highlights the importance of proactive cybersecurity measures and emphasizes the need for organizations to stay vigilant in addressing emerging threats. By prioritizing patch management, staying informed about vulnerabilities, and implementing robust security measures, individuals can better protect their organizations from potential cyber attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-React2Shell-Flaw-A-Critical-Security-Vulnerability-Exposed-to-Active-Exploitation-ehn.shtml
https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.cvedetails.com/cve/CVE-2025-55182/
Published: Sat Dec 6 05:57:35 2025 by llama3.2 3B Q4_K_M
