The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security flaw affecting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog. This critical vulnerability, designated CVE-2025-55182, has a CVSS score of 10.0 and is also tracked as React2Shell. Reports indicate that the flaw is already being actively exploited in the wild, prompting urgent action from cybersecurity agencies.
The vulnerability allows for unauthenticated remote code execution due to a flaw in how React decodes payloads sent to React Server Function endpoints. This means an attacker can potentially run malicious code on a server without needing any special access or configuration. The issue stems from insecure deserialization within the library’s Flight protocol, which is used for communication between React’s server and client components.
React Server Components Vulnerability Under Active Exploitation
The newly cataloged vulnerability, CVE-2025-55182, represents a severe security risk for applications built with React Server Components. Identified as React2Shell, the flaw provides a pathway for unauthenticated attackers to execute arbitrary commands on vulnerable servers. The method involves exploiting how React processes object references during deserialization in the `react-server` package. This can lead to a complete compromise of server-side systems.
Martin Zugec, technical solutions director at Bitdefender, highlighted the inherent dangers of insecure deserialization, calling it “one of the most dangerous classes of software vulnerabilities.” The specific weakness targeted by React2Shell resides in the parsing of object references within the `react-server` package, enabling malicious actors to manipulate the deserialization process for their own gain.
This critical vulnerability has been addressed in patched versions of several key libraries. Specifically, versions 19.0.1, 19.1.2, and 19.2.1 of `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` now include fixes for this issue. Consequently, downstream frameworks that depend on these React components are also affected, including popular tools like Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK.
Implications and Observed Exploitation
The urgency surrounding CVE-2025-55182 is amplified by observations of active exploitation. Infrastructure linked to Chinese hacking groups, including Earth Lamia and Jackpot Panda, were reportedly involved in attack attempts shortly after the vulnerability’s public disclosure. Companies such as Coalition, Fastly, GreyNoise, VulnCheck, and Wiz have also reported noticing exploitation efforts, indicating a broad range of threat actors are capitalizing on this flaw for opportunistic attacks. This widespread interest underscores the severity and accessibility of the exploit.
Initial attack campaigns have been observed deploying cryptocurrency miners on compromised systems. Additionally, attackers have been seen executing “cheap math” PowerShell commands to confirm successful exploitation. This reconnaissance is typically followed by the deployment of in-memory downloaders, designed to fetch additional malicious payloads from remote command-and-control servers.
Palo Alto Networks Unit 42 confirmed that over 30 organizations across various sectors have been impacted by this vulnerability. Their analysis linked some attack activities to a Chinese threat group designated UNC5174, also known as CL-STA-1015. These specific attacks are characterized by the deployment of tools such as SNOWLIGHT and VShell, suggesting sophisticated and targeted operations.
According to data from the attack surface management platform Censys, an estimated 2.15 million internet-facing services could be vulnerable. This figure encompasses web services utilizing React Server Components, as well as instances of frameworks like Next.js, Waku, React Router, and RedwoodSDK. The sheer number of potentially affected systems highlights the significant scope of this cybersecurity threat.
The discovery and public disclosure of this flaw are credited to security researcher Lachlan Davidson. Following the disclosure, Davidson released several proof-of-concept (PoC) exploits, making it imperative for users operating vulnerable instances to update immediately. Another working PoC has also been made available by a Taiwanese researcher known as maple3142 on GitHub, further increasing the risk for unpatched systems.
Mandatory Updates and Future Actions
In response to the escalating threat, CISA has issued Binding Operational Directive (BOD) 22-01. This directive mandates that Federal Civilian Executive Branch (FCEB) agencies must apply the necessary updates to secure their networks from CVE-2025-55182 by December 26, 2025. This deadline signifies the critical importance of remediation efforts for government agencies and serves as a strong recommendation for all organizations utilizing affected technologies.