DEV Community

Drew
Drew

Posted on • Originally published at dcyfr.ai on

CVE-2025-55182 (React2Shell)

#nextjs #react #security #cve

Anime-styled developer discovering security vulnerability in React code on dual monitors displaying React2Shell exploit with warning icons and neon cybersecurity aesthetic

JANUARY 2026 UPDATE: One month after disclosure, React2Shell (CVE-2025-55182) remains under sustained exploitation with over 8.1 million attack sessions recorded1. Security firm GreyNoise reports 300,000-400,000 daily attacks from 8,163 unique IPs across 101 countries1. Over 644,000 domains remain vulnerable despite patches being available since December 3, 20252. CISA's federal remediation deadline (December 26, 2025) has passed3. If you haven't upgraded to React 19.2.3 4 and Next.js 16.0.10+ , you are actively at risk.

December 2025 UPDATE: Security researchers confirm active exploitation in the wild 5. CVE-2025-55182, now widely known as "React2Shell," has been integrated into Mirai and other botnet exploitation toolkits6. Nearly 50% of attacking IPs are newly registered infrastructure (December 2025)1. Post-exploitation activities include cryptocurrency mining, credential theft, and ransomware deployment 7. Five China-nexus APT groups (UNC6600, UNC6586, UNC6588, UNC6603, UNC6595) have been specifically attributed to this campaign5.

Disclosure Notice: This vulnerability was publicly disclosed on December 3, 2025. If you're running Next.js 14.3+, 15, or 16 with React Server Components, you should upgrade immediately, regardless of your hosting provider.

Today we witnessed defense in depth working exactly as intended. Within hours of CVE-2025-55182 being disclosed, a critical remote code execution vulnerability in React Server Components, we received alerts from two different sources:

  1. Vercel's dashboard , warning us that WAF rules were already protecting our production deployment
  2. Dependabot PR #87, automatically upgrading Next.js from 16.0.6 to 16.0.7

This is what modern security infrastructure looks like: multiple layers working in concert. Vercel's WAF provided immediate protection before we could even review the PR, while Dependabot delivered the actual patch for permanent remediation.

In this post, we'll break down what CVE-2025-55182 is, why it matters, how these layered defenses protected our app, and what you should do to secure your own projects.

If you're running Next.js 14.3+, 15.x, or 16.x with React Server Components , you must upgrade immediately to React 19.2.3+ and Next.js 16.0.10+. Active exploitation is confirmed with 300,000-400,000 daily attacks and 644,000+ vulnerable domains still exposed as of January 2026.

Vulnerability Overview: CVE-2025-55182 (React2Shell)

CVE-2025-55182, also known as "React2Shell" in the security community, is a critical-severity vulnerability affecting React Server Components (RSC). Under certain conditions, specially crafted requests can lead to unintended remote code execution (RCE) on the server.

Technical Details:

  • Affected Packages: React 19's server-side rendering packages (react-server-dom-parcel, react-server-dom-webpack, react-server-dom-turbopack)
  • Related CVE: CVE-2025-66478 for Next.js specifically
  • Impact: Remote code execution, environment access, infrastructure pivoting, data exfiltration

Affected Versions & Patches

Package Affected Versions Fixed Versions Recommended (Jan 2026)
React 19.0.0 - 19.2.0 19.0.1, 19.1.2, 19.2.1+ 19.2.3+ (all 4 CVEs fixed)
Next.js ≥14.3.0-canary.77, all 15.x, all 16.x 15.0.5+, 16.0.7+ 16.0.10+ (latest hardened)

Other affected frameworks: Vite with RSC, Parcel, React Router (RSC), RedwoodSDK, Waku

Quick Version Check:

npm ls next react # or check package.json
Enter fullscreen mode Exit fullscreen mode

Complete CVE Family (December 2025 Discoveries)

Following React2Shell's disclosure, researchers discovered three additional vulnerabilities 4:

CVE Severity Impact Patched In
CVE-2025-55182 CRITICAL Remote Code Execution React 19.0.1+
CVE-2025-55183 MEDIUM Source code exposure React 19.2.2+
CVE-2025-55184 HIGH Denial of Service React 19.2.2+ (incomplete)
CVE-2025-67779 HIGH DoS (bypass of CVE-2025-55184) React 19.2.3+

Critical: CVE-2025-55184's original fix was incomplete4. Upgrade directly to React 19.2.3+ to address all four vulnerabilities in one update 8.

Upgrading to React 19.2.2 is not sufficient. CVE-2025-55184's original DoS fix was bypassed by CVE-2025-67779. Always upgrade to the latest patched version (React 19.2.3+ as of January 2026) to address the complete CVE family.

Timeline & Platform Response

Attack Chain Context: Exploitation is fully automated, progressing from scanner identification to payload deployment in under 10 seconds. Attackers use PowerShell arithmetic validation (powershell -c "40138*41979"), encoded payloads, AMSI bypasses, then deploy cryptocurrency miners, backdoors, and credential harvesters.

Here's what makes this disclosure interesting from a DevSecOps perspective: Vercel's platform detected and mitigated this vulnerability before Dependabot could even create a PR.

The disclosure and exploitation unfolded rapidly:

  1. December 3, 2025 - Pre-disclosure : Vercel coordinates with the React team, develops WAF rules
  2. December 3, 2025 - Public disclosure : CVE-2025-55182 and CVE-2025-66478 are published
  3. December 3, 2025 - Immediate WAF deployment : Vercel automatically deploys protection rules
  4. December 3, 2025 - 20:49 UTC - Same-day Dependabot PR : PR #87 arrives
  5. December 3, 2025 - Within hours of disclosure : Initial exploitation attempts observed by AWS Threat Intelligence; China-nexus threat actors (Earth Lamia, Jackpot Panda) begin active exploitation9
  6. December 3, 2025 - 22:00 UTC : First scanning activity detected globally across honeypots; sustained exploitation begins1
  7. December 4, 2025 - 21:04 UTC : Rapid7 validates weaponized exploit; proof-of-concept exploits become publicly available
  8. December 5, 2025 - 06:00 UTC : Wiz Research sensors identify first victims compromised; rapid expansion of exploitation observed10
  9. December 5, 2025 - CISA KEV Addition : CVE-2025-55182 added to CISA's Known Exploited Vulnerabilities list3
  10. December 5, 2025 - Lachlan Davidson PoC : Original discoverer publishes official proof-of-concept; Metasploit exploit module available
  11. December 5, 2025 - 23:44 UTC : Vercel partners with HackerOne for responsible disclosure ($25k-$50k bounties)
  12. December 6, 2025 - 06:29 UTC : Vercel releases npx fix-react2shell-next automated fix tool
  13. December 6, 2025 - Deployment blocking : Vercel begins blocking NEW deployments of vulnerable Next.js versions
  14. December 8, 2025 : Rapid7 observes payload variations; attackers actively debugging and refining exploitation techniques
  15. December 10, 2025 : Major cloud providers implement coordinated response; exploitation volume begins to decline
  16. December 12, 2025 : Continued monitoring shows persistent but reduced attack activity; focus shifts to scanning for remaining unpatched systems

Both systems worked, but with different roles and limitations:

  • Vercel's WAF : Defense-in-depth layer (mitigation, not complete protection)
  • Dependabot : Same-day patch delivery (complete remediation)

Exploitation Tool Maturity

As of December 8, 2025:

  • Multiple working weaponized exploits publicly available
  • Metasploit module integrated into standard toolkit
  • Automated scanning tools widely adopted by threat actors
  • Payload variations observed as attackers refine techniques against real targets
  • High-fidelity exploitation with near 100% success rate reported by researchers

Vercel's Approach

Vercel coordinated with the React team pre-disclosure, deployed WAF rules automatically to all projects, and continuously improved protections as bypass variants emerged. They released automated fix tooling (npx fix-react2shell-next) and began blocking new vulnerable deployments.

"We have created new WAF rules to address this vulnerability and deployed them to Vercel WAF that will automatically and at no cost protect all projects hosted on Vercel." — Jimour Lai, Vercel Security Engineer

Important WAF Limitations: Vercel acknowledges that "WAF rules are one layer of defense but can never guarantee 100% coverage." As new exploit variants emerged (evidenced by payload variations observed on December 8), Vercel identified and patched WAF bypasses, but upgrading remains the only complete fix.

CISA Recognition: The addition of CVE-2025-55182 to CISA's Known Exploited Vulnerabilities list on December 5 signals that this is now considered a priority threat by federal agencies, underscoring the urgency of remediation.

This means that while the WAF provided valuable defense-in-depth, our production deployment wasn't truly secure until we merged the upgrade. The WAF bought us time and reduced risk, but it wasn't a substitute for patching.

Web Application Firewalls (WAF) provide defense-in-depth , not complete protection. Vercel acknowledges that "WAF rules can never guarantee 100% coverage." As bypass variants emerged, WAF rules were patched, but upgrading remains the only complete fix. Think of WAF as a seatbelt—upgrading is fixing the brakes.

The Broader Impact

Vercel also worked with the React team to provide recommendations to major WAF and CDN providers. This collaborative approach helps protect the broader ecosystem, not just Vercel customers.

Vercel's $1 Million Bug Bounty Program

In an unprecedented security initiative, Vercel launched a $1 million bug bounty program specifically targeting WAF bypass techniques:

Program Results:

  • Engaged 116 security researchers to find every possible WAF bypass
  • Paid out over $1 million in bounties
  • Shipped 20 unique WAF updates within 48 hours as new bypass techniques were reported
  • All discovered bypass techniques are now permanent firewall additions

Dual-Layer Defense Architecture:

Vercel deployed a two-layer protection system:

Layer 1: Seawall WAF

  • Deep request inspection
  • Pattern-based exploit detection
  • Continuous updates from bug bounty findings

Layer 2: Runtime Mitigation (First Public Disclosure)

  • Operates directly on compute layer inside applications
  • Does not rely on heuristics
  • Directly eliminates code evaluation vector
  • Covers 96% of Vercel traffic
  • Automatic alerting when triggered

This runtime layer provided visibility into actual WAF bypass attempts in production, allowing Vercel to state "with high confidence that the WAF was extraordinarily effective"—because they had ground truth data from the second layer.

Automated Remediation Tools:

  • Vercel Agent : Automatically detects vulnerable projects and opens PRs
  • npx fix-react2shell-next : One-command CLI fix tool

Threat Landscape: The Scale of React2Shell Exploitation

Attack Statistics (January 2026)

One month after disclosure, React2Shell has achieved unprecedented exploitation scale:

Volume Metrics:

  • 8.1+ million attack sessions recorded since December 3, 20251
  • 300,000-400,000 daily attacks currently sustained (not declining)1
  • 8,163 unique attacking IPs across 1,071 ASNs in 101 countries1
  • 644,000+ vulnerable domains still exposed (Shadowserver Foundation)2

Infrastructure Analysis:

  • 50% of attacking IPs first observed after July 2025 (recent allocation)1
  • AWS alone accounts for over one-third of exploitation traffic1
  • Sophisticated coordination indicates organized threat actor campaigns5
  • Attack volume has stabilized but not declined —permanent fixture in attacker toolkits11

Nation-State & APT Activity

Five China-nexus threat clusters have been specifically attributed (AWS + Google Threat Intelligence)5:

  • UNC6600 (Espionage): MINOCAT tunneler deployment with FRP client integration5
  • UNC6586, UNC6588, UNC6603, UNC6595 : Multiple distinct clusters with custom tooling5
  • Earth Lamia (UNC5454) & Jackpot Panda : Active within hours of disclosure9
  • RondoDx botnet : Steadily expanding N-day vulnerability arsenal12

Advanced Tactics:

  • Automated scanning using commercial vulnerability scanners13
  • Metadata targeting (icon hashes, SSL certificates, geographic identifiers)13
  • Large-scale anonymization networks masking attribution5
  • Rapid weaponization of public PoCs (within hours)9
  • Simultaneous exploitation of multiple N-day vulnerabilities5

New Malware Families (Exclusive to React2Shell)

Security researchers have identified seven sophisticated malware families deployed specifically through CVE-2025-551826:

Professional-Grade Tooling:

PeerBlight Linux Backdoor 6

  • BitTorrent DHT network for C2 (domain-takedown resistant)
  • Node ID prefix "LOLlolLOL" for identification
  • Interactive shell, file exfiltration, configuration updates

Attack volumes have stabilized but not declined at 300k-400k daily attacks as of January 2026. This vulnerability is now a permanent fixture in attacker toolkits, not a temporary threat wave. Organizations with slow patch cycles remain at risk indefinitely.

Defense & Response: Multi-Layered Protection Strategy

Immediate Action Required: Upgrade Now

Even with cloud provider WAF protections, you must upgrade. WAF rules provide interim protection but are not a permanent fix.

For Next.js Projects:

# Option 1: Use Vercel's automated fix tool (recommended)
npx fix-react2shell-next

# Option 2: Manual upgrade to latest patched versions
npm install next@latest react@latest react-dom@latest

# Option 3: Specify exact versions (January 2026 recommendations)
npm install next@16.0.10 react@19.2.3 react-dom@19.2.3
Enter fullscreen mode Exit fullscreen mode

Verify Your Upgrade:

npm ls next react react-dom
Enter fullscreen mode Exit fullscreen mode

For Other RSC Frameworks: Check framework documentation and ensure React 19.2.3+ (addresses all 4 CVEs).

Vercel's Unprecedented Defense Response

$1 Million Bug Bounty Program Results:

  • Engaged 116 security researchers to find WAF bypasses
  • Paid out over $1 million in bounties
  • Shipped 20 unique WAF updates within 48 hours
  • All bypass techniques now permanent firewall additions

Dual-Layer Defense Architecture:

Layer 1: Seawall WAF

  • Deep request inspection and pattern-based detection
  • Continuous updates from bug bounty findings
  • Automatic deployment across all Vercel projects

Layer 2: Runtime Mitigation (First Public Disclosure)

  • Operates directly inside applications on compute layer
  • Directly eliminates code evaluation vector
  • Covers 96% of Vercel traffic with automatic alerting
  • Provides ground truth data on actual bypass attempts

Automated Remediation Tools:

  • Vercel Agent : Dashboard detection + automatic PR creation
  • npx fix-react2shell-next : One-command CLI fix tool

Industry-Wide WAF Protection

Automatically Deployed (No Action Required):

  • Vercel WAF : All Vercel-hosted projects
  • AWS WAF : AWSManagedRulesKnownBadInputsRuleSet v1.24+
  • Cloudflare WAF : React2Shell rules (December 3-4, 2025)
  • Google Cloud Armor : App Engine, Cloud Functions, Cloud Run

Available for Deployment:

  • Palo Alto Networks NGFW , Akamai WAF , Fastly WAF

Detection Tools & Enterprise Platforms

Open Source Scanners:

  1. react2shell-scanner (Assetnote): github.com/assetnote/react2shell-scanner
  2. npx fix-react2shell-next : Official Next.js remediation tool
  3. Vercel Agent : Dashboard-based detection with automated PRs

Enterprise Security Platforms:

  • Microsoft Defender Vulnerability Management (MDVM)14
  • Microsoft Defender for Cloud (agentless scanning)14
  • Dynatrace Runtime Vulnerability Analytics15
  • JFrog Advanced Security16, Mondoo Security Platform8

Compromise Detection & Response

Signs of Active Exploitation:

Network Indicators:

  • Unusual POST requests with _prefix, _chunks, _formData patterns
  • Large encoded payloads, requests to uncommon RSC endpoints
  • Outbound connections to mining pools (ports 3333, 4444), DNS exfiltration domains

System Indicators:

  • PowerShell execution with -enc/-EncodedCommand flags
  • Windows Event ID 4104: AMSI bypass attempts (amsiInitFailed, AmsiUtils)
  • Base64-encoded command parameters, arithmetic validation commands
  • Cryptocurrency mining processes, unauthorized network connections

Post-Exploitation Artifacts:

Credential Harvesting Targets:

# Check these files for unauthorized access
.env*, ~/.ssh/*, ~/.aws/credentials, ~/.docker/config.json
~/.git-credentials, ~/.bash_history, /etc/shadow, /etc/passwd
Enter fullscreen mode Exit fullscreen mode

Persistence Mechanisms:

  • systemd service creation (system-updates-service, system-update-service)
  • cron job injection, authorized_keys manipulation
  • Shell configuration modification (~/.bashrc, ~/.bash_profile)
  • RMM/RAT deployment: MeshAgent, Cobalt Strike, AnyDesk

Temporary Mitigations (If Upgrade Delayed)

For Vercel Customers:

  • WAF provides partial protection (not complete)
  • Monitor dashboard for exploitation attempts
  • Plan upgrade as highest priority

For Other Hosting:

  • Deploy available WAF (Cloudflare, AWS WAF, etc.)
  • Contact hosting provider for protection options
  • Consider taking applications offline until patched

Defense-in-Depth (NOT Complete Protection):

  • Block suspicious patterns at reverse proxy/load balancer
  • Implement strict input validation
  • Isolate affected applications from critical infrastructure
  • Monitor aggressively using detection patterns

Critical Reality Check: Active botnet exploitation means constant probing. Every hour of delay increases risk exponentially.

Long-Term Impact: The "Log4Shell of Frontend"

Security researchers are now comparing React2Shell to Log4Shell in terms of long-term impact and exploitation trajectory7:

Industry Impact Statistics

Wiz Research has provided comprehensive statistics on React2Shell's impact10:

Vulnerability Exposure:

  • 45% of cloud environments contain vulnerable React instances10
  • 61% of Next.js deployments are publicly exposed to the Internet10
  • 44% of all cloud environments have publicly exposed Next.js instances10
  • 12% of cloud environments expose vulnerable React/Next.js directly to the Internet10

Key Parallels with Log4Shell

Similar Exploitation Velocity:

  • Weaponization within hours of public disclosure
  • Integration into standard attacker toolkits (Metasploit modules available December 5)
  • Automated scanning at massive scale (8.1M+ attack sessions)
  • Sustained attack volumes months after patches available

Ubiquitous Framework Creates Massive Attack Surface:

  • React is used by millions of applications globally
  • Next.js is the dominant React framework for production deployments
  • Cloud-native deployment patterns amplify exposure
  • Microservices architectures multiply vulnerable endpoints

Long-Tail Exploitation Expected:

  • VulnCheck assessment: "Likely to have a long tail" of exploitation11
  • Daily attack volumes stabilized at 300k-400k (not declining as of January 2026)1
  • Vulnerability permanently added to attacker reconnaissance playbooks11
  • Organizations with slow patch cycles remain at risk indefinitely

Sustained Threat Trajectory

Unlike typical vulnerabilities that see exploitation decline after initial waves, React2Shell exhibits characteristics of permanent infrastructure risk :

  1. Attack volume stabilization (not reduction) indicates systematic integration into attacker toolkits1
  2. New malware families continue to emerge (PeerBlight, CowTunnel, KSwapDoor identified in January 2026)6
  3. Ransomware group adoption signals high-value target assessment and commercial exploitation7
  4. APT group sustained interest suggests strategic intelligence value beyond opportunistic attacks5
  5. 644,000+ unpatched domains (as of January 2026) provide ongoing opportunities for exploitation2

Organizations should treat React2Shell as a persistent threat requiring ongoing vigilance, not a one-time patch event. The vulnerability's integration into criminal infrastructure, nation-state operations, and automated exploitation frameworks ensures it will remain a significant risk factor for years to come.

React2Shell mirrors Log4Shell's long-term impact pattern: weaponization within hours, sustained exploitation for years, and permanent toolkit integration. With 44% of cloud environments exposing vulnerable React/Next.js instances and attack volumes stabilized (not declining), this vulnerability will haunt unpatched systems indefinitely. Treat this as infrastructure risk, not a temporary threat.

What This Means for RSC Security

React Server Components represent a significant architectural shift. They blur the line between client and server code, which creates new attack surfaces that didn't exist in traditional client-side React.

React Server Components blur the client/server boundary, creating new attack surfaces. RSC isn't "just React"—it's React running with server privileges. Apply server-side security thinking: input validation, principle of least privilege, defense-in-depth, and coordinated disclosure with platform providers.

This vulnerability is a reminder that:

  1. Server-side code needs server-side security thinking. RSC isn't "just React", it's React running in a privileged environment.

  2. Framework-level protections matter. Vercel's ability to deploy WAF rules across their platform demonstrates the value of managed infrastructure.

  3. The disclosure process is evolving. Coordinated disclosure with platform providers can protect users faster than traditional CVE → Dependabot → CI workflows.

Frequently Asked Questions

Technical Questions

Q: Does this affect Server Actions or only Server Components? A: The vulnerability affects React Server Components (RSC) broadly, including Server Components, Server Actions, and any RSC-based rendering pipeline. If you're using Next.js App Router (13+), you're using RSC and potentially affected.

Q: What about frameworks besides Next.js? A: Yes, any framework using RSC is affected: Vite with RSC, Parcel with RSC, React Router with RSC, RedwoodSDK, Waku, and custom RSC implementations. Check framework security advisories and upgrade React to 19.2.3+.

Q: Is Vercel's WAF protection enough? A: No, you must still upgrade. WAF provides defense-in-depth but cannot guarantee 100% coverage. Bypass variants exist and new exploitation methods emerge constantly. WAF is like a seatbelt—upgrading is fixing the brakes.

Security & Response

Q: How do I know if my application was exploited? A: Check for: unusual POST requests with RSC patterns, PowerShell execution with encoded commands, Event ID 4104 AMSI bypasses, cryptocurrency mining processes, new privileged accounts, and connections to mining pools. If you were vulnerable, upgrade and monitor even without evidence—absence of evidence isn't evidence of absence.

Q: Should I test public exploits on my application? A: Absolutely not. This creates legal risk, potential production damage, suspicious logs, and false security confidence. Instead: verify versions (npm ls next react), check Vercel dashboard, review logs for detection patterns, and upgrade immediately.

Q: What if I can't upgrade immediately? A: Treat as critical incident. For Vercel customers: WAF provides partial protection, monitor dashboard. For others: deploy available WAF, contact hosting provider, consider taking applications offline. Implement temporary mitigations but understand they're not complete protection. Every hour of delay increases risk.

Long-Term Implications

Q: How long will attackers exploit this? A: Expect permanent threat landscape inclusion. Pattern:

  • Weeks 1-2 (Dec 2025): Mass scanning, botnet integration—COMPLETE
  • Months 1-3 (Dec 2025-Feb 2026): Continued automated exploitation—ONGOING
  • Months 3-12 (2026): Standard toolkit integration, persistent scanning
  • Year 1+ (2026+): Long-tail exploitation of unmaintained applications

Current status: Attack volume stabilized but not declined. CVEs like this become permanent fixtures in the threat landscape.

Key Takeaways

  1. Upgrade immediately—this is under active exploitation : Botnet integration confirmed, mass scanning ongoing, post-exploitation includes cryptomining and ransomware staging
  2. Use Vercel's fix tool for fastest remediation : npx fix-react2shell-next automates the upgrade process
  3. WAF protection is defense-in-depth, not a complete fix : WAF cannot guarantee 100% coverage; bypasses exist and new variants emerge
  4. Monitor for compromise using the detection patterns : PowerShell Event ID 4104, encoded commands, AMSI bypasses, unusual network connections
  5. Enable Dependabot security updates : Same-day PRs for critical vulnerabilities are invaluable (when you actually merge them)
  6. RSC introduces server-side attack surfaces : React Server Components blur client/server boundaries, creating new security considerations
  7. Expect long-term exploitation : This vulnerability will be part of the threat landscape indefinitely—unpatched systems will be found
  8. Don't test POCs on production : Use version checks and log analysis instead of running exploits

This incident highlights several important lessons for DevSecOps teams:

  • Defense in depth works : Vercel's WAF and Dependabot provided layered protection
  • Automated tooling is essential : Automated fix tools and dependency management speed remediation
  • Proactive monitoring is critical : Detection patterns help identify potential compromises quickly
  • Collaboration matters : Coordinated disclosure with platform providers enhances ecosystem security

Resources

Credit: This vulnerability was responsibly disclosed by Lachlan Davidson. Thanks to Jimour Lai, Luba Kravchenko, and Andy Riancho at Vercel for the coordinated response.

Official Advisories

Vercel Resources

Threat Intelligence

  • Rapid7 Exploitation Tracking
  • Datadog Security Labs: Exploitation Analysis
  • GreyNoise Blocklists
  • Censys Advisory

    Footnotes

    1. GreyNoise. "CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild." GreyNoise Intelligence, January 2026. greynoise.io; CyberSecurityNews. "Hackers Launched 8.1 Million Attack Sessions to React2Shell." CyberSecurityNews, January 2026. cybersecuritynews.com 2 3 4 5 6 7 8 9 10 11

    2. SiteGuarding. "Critical React Server Components Vulnerability Exposes Over 644,000 Domains." SiteGuarding Security Blog, January 2026. siteguarding.com; CybersecurityDive. "React Server Components crisis escalates." CybersecurityDive, January 2026. cybersecuritydive.com 2 3

    3. CISA. "Known Exploited Vulnerabilities Catalog." Cybersecurity and Infrastructure Security Agency, December 2025. cisa.gov; Gopher Security. "CISA's KEV Catalog Grows by 1,484 Vulnerabilities in 2025." Gopher Security, December 2025. gopher.security 2

    4. React Team. "Denial of Service and Source Code Exposure in React Server Components." React Blog, December 2025. react.dev; The Hacker News. "New React RSC Vulnerabilities Enable DoS and Source Code Exposure." The Hacker News, December 2025. thehackernews.com 2 3

    5. AWS Security. "China-nexus cyber threat groups rapidly exploit React2Shell vulnerability." AWS Security Blog, December 2025. aws.amazon.com; Google Cloud. "Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)." Google Cloud Threat Intelligence, December 2025. cloud.google.com; Rescana. "CVE-2025-55182 React2Shell: Chinese APT Groups Exploit Critical React Server Components Vulnerability." Rescana, December 2025. rescana.com 2 3 4 5 6 7 8 9

    6. Huntress. "PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182." Huntress Blog, January 2026. huntress.com; The Hacker News. "React2Shell Vulnerability Actively Exploited to Deploy Linux Malware." The Hacker News, December 2025. thehackernews.com; GBHackers. "PeerBlight Linux Malware Abuses React2Shell for Proxy Tunneling." GBHackers, January 2026. gbhackers.com 2 3 4

    7. Bitdefender. "Technical Advisory: React2Shell Critical Unauthenticated RCE in React." Bitdefender Blog, December 2025. bitdefender.com; Talent500. "React2Shell: The Critical React Vulnerability Reshaping Frontend Security." Talent500 Blog, December 2025. talent500.com 2 3

    8. Mondoo. "How to Fix Critical React and Next.js Vulnerabilities." Mondoo Blog, December 2025. mondoo.com 2

    9. AWS Security. "China-nexus cyber threat groups rapidly exploit React2Shell vulnerability." AWS Security Blog, December 2025. aws.amazon.com 2 3

    10. Wiz Research. "React2Shell (CVE-2025-55182): Critical React Vulnerability." Wiz Blog, December 2025. wiz.io 2 3 4 5 6

    11. CyberScoop. "Inside Vercel's sleep-deprived race to contain React2Shell." CyberScoop, December 2025. cyberscoop.com; The Hacker News. "React2Shell Exploitation Delivers Crypto Miners and New Malware." The Hacker News, December 2025. thehackernews.com 2 3

    12. The Hacker News. "Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation." The Hacker News, December 2025. thehackernews.com

    13. Cloudflare. "React2Shell and related RSC vulnerabilities threat brief." Cloudflare Blog, December 2025. blog.cloudflare.com 2

    14. Microsoft Security. "Defending against the CVE-2025-55182 (React2Shell) vulnerability." Microsoft Security Blog, December 2025. microsoft.com 2

    15. Dynatrace. "React2Shell CVE-2025-55182: What it is and what to do." Dynatrace Blog, December 2025. dynatrace.com

    16. JFrog. "React2Shell (CVE-2025-55182): Detection & Mitigation Guide." JFrog Blog, December 2025. jfrog.com

Top comments (0)