React2Shell: The React Server Components Bug That’s Melting the Internet
Attackers are hammering a critical React Server Components vulnerability, nicknamed React2Shell and tracked as CVE-2025-55182, with more than 8.1 million exploitation attempts logged so far. The campaign has turned unpatched React and Next.js deployments into low-hanging fruit for mass remote code execution, cryptomining, and persistent access.
What Happened
Security telemetry firm GreyNoise reported that exploitation of the React2Shell bug has surged into one of the most aggressive opportunistic campaigns in recent memory, stabilizing at roughly 300,000–400,000 attack sessions per day after peaking above 430,000. The attacks are coming from over 8,000 unique IPs across more than 100 countries, heavily leaning on cloud providers like AWS for scale.
The Technical Details
CVE-2025-55182 is a critical RCE (CVSS 9.8) in the React Server Components (RSC) Flight Protocol, involving unsafe deserialization that allows attackers to execute arbitrary code on affected servers. It impacts:
- React implementations using Server Components
- Next.js and downstream RSC-based frameworks
- Other custom or third-party RSC implementations that haven’t patched the protocol handling
The exploitation chain, as observed in the wild, generally looks like this:
- Initial proof-of-execution using trivial PowerShell arithmetic (to confirm code execution on target).
- Base64-encoded PowerShell stagers pulled down and executed to fetch second-stage payloads.
- AMSI bypass via reflection against
System.Management.Automation.AmsiUtilsto blind some AV/EDR products. - Follow-on actions including:
– System recon and environment harvesting
– Reverse shells and backdoor deployment
– SSH key drops for persistence
– Cryptominer installation and resource hijacking
Telemetry shows more than 70,000 unique payloads and hundreds of distinct JA4H/JA4T fingerprints, underscoring that this is not a one-off bot but a large, automated ecosystem of scanners and exploit kits. The majority of visible traffic uses Go-based HTTP clients and scanner-tagged user agents, reinforcing that this is industrialized exploitation rather than targeted ops.
Why Developers Should Care
If you run React or Next.js in production and haven’t explicitly checked and patched for CVE-2025-55182, assume you are already being scanned and likely probed multiple times a day. This isn’t a “maybe someone will try this eventually” bug; it’s at full internet-worm levels of automation and scale.
From a developer perspective, a few hard truths:
- Framework ≠ safety: The fact this lives inside the RSC Flight Protocol is a reminder that “modern” stacks can still ship old-school deserialization footguns. You can’t outsource all security thinking to the framework.
- App bugs become infra incidents: A single template or protocol bug in your UI stack is now a direct path to shell access, persistence, and resource theft on your servers or containers.
- Cloud doesn’t save you: A huge chunk of attack traffic rides on AWS and other cloud providers. If you’re exposed to the public internet and unpatched, you’re on the same playing field as everyone else.
- Detection needs to be app-aware: You should be logging and alerting on:
– Suspicious PowerShell invocation patterns
– Base64-encoded command lines
– AMSI bypass attempts involvingAmsiUtils
– Unexpected outbound connections from app containers or serverless runtimes
Practically, here’s what you should be doing right now if you own a React/Next.js backend:
- Identify all RSC/Next.js deployments that are internet-exposed.
- Patch to the latest versions that address CVE-2025-55182 (check both framework and any RSC-related libraries).
- Temporarily geofence, rate-limit, or WAF-protect RSC endpoints if patching will take time.
- Hunt for compromise: look for weird PowerShell usage, unknown SSH keys, unexplained CPU spikes (cryptominers), and newly opened egress destinations.
- Bake this into your pipeline: add vulnerability scanning and dependency checks specifically for critical framework CVEs tied to RCE.
Final Take
React2Shell is a blunt reminder that “frontend frameworks” are no longer just about rendering views—features like Server Components turn them into full-blown server attack surfaces. If your team moves fast on features but treats patching and dependency hygiene as background noise, this is the kind of bug that will eventually hand your servers to someone else. Patch now, add guardrails to your pipeline, and stop assuming that modern JavaScript stacks are secure by default.
