React2Shell Remote Code Execution Vulnerability in React 19 and Next.js
A critical remote code execution vulnerability, dubbed React2Shell, was discovered in the React 19 library, specifically affecting React Server Components. The flaw allows unauthenticated attackers to execute arbitrary code on servers by sending crafted requests, making it a severe risk for organizations using default React and Next.js deployments. Within hours of public disclosure, security firms including Google’s Threat Intelligence Group and AWS confirmed active exploitation in the wild, highlighting the shrinking window between vulnerability awareness and real-world attacks. Researchers from Wiz and Unit 42 demonstrated that even clean, default deployments were susceptible, emphasizing the widespread impact due to the popularity of these frameworks.
Threat actors rapidly weaponized the React2Shell vulnerability, with the RondoDoX botnet launching automated exploitation campaigns targeting both web applications and IoT devices. CloudSEK’s analysis of command and control logs revealed a multi-month campaign, with a significant spike in attacks following the vulnerability’s disclosure in December 2025. The RondoDoX botnet deployed various payloads, including web shells and cryptominers, and quickly adapted its infrastructure in response to security firm reports. Organizations with technology stacks overlapping the targeted vectors were promptly alerted, underscoring the urgent need for patching and monitoring in environments using React 19 and Next.js.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2025-55182 to the KEV catalog
By December 31, 2025, reporting noted that CISA had added CVE-2025-55182 to its Known Exploited Vulnerabilities catalog. The listing underscored that the flaw was actively exploited and required urgent remediation.
State-linked actors tied to React2Shell exploitation
Reporting in late December 2025 linked both criminal and state-aligned actors to React2Shell exploitation, including China-linked groups Earth Lumia and Jackpot Panda and North Korean operators. The flaw was described as being used for both initial access and persistent compromise.
Widespread exposure of vulnerable React2Shell systems reported
By late December 2025, researchers and internet scanning data reported tens of thousands of exposed vulnerable systems, with estimates ranging from about 77,000 in early December to more than 90,000 by the end of the month. Most exposed instances were reported in the United States.
Researchers confirm exploitation within hours of disclosure
Multiple vendors and researchers, including Google, AWS, Wiz, Unit 42, and Huntress, confirmed that React2Shell was exploited in the wild within hours of public disclosure. They also documented post-exploitation activity such as backdoors, tunneling tools, and cryptomining kits.
React and downstream frameworks release patches
React maintainers and downstream frameworks released patches for React2Shell and urged organizations to update immediately. Security guidance emphasized that patching should be paired with threat hunting because compromise could have already occurred.
React2Shell flaw is publicly disclosed as critical RCE
A critical unauthenticated remote code execution flaw in React 19 Server Components, tracked as CVE-2025-55182 and dubbed React2Shell, was publicly disclosed in December 2025. The bug affected default React and Next.js deployments and was rated CVSS 10.0.
Attackers shift infrastructure after React2Shell exposure
After Darktrace's December 10 reporting, RondoDox operators changed infrastructure, and CloudSEK observed new active command-and-control servers three days later. This indicated rapid adaptation to public scrutiny while continuing exploitation.
RondoDox begins repeated React2Shell attacks
CloudSEK observed exploitation of the Next.js/React Server Components flaw becoming the dominant RondoDox vector from December 13, 2025 onward. The botnet repeatedly delivered payloads including coinminers, Mirai-related binaries, and persistence tooling.
React2Shell exploitation publicly reported by Darktrace
CloudSEK said Darktrace publicly reported exploitation of React2Shell on December 10, 2025. This was an early public indication that attackers were already abusing the flaw in the wild.
RondoDox shifts to large-scale automated IoT deployment
By late 2025, the campaign had progressed from reconnaissance and web exploitation into hourly automated attacks that deployed botnet malware to IoT devices. Reports describe this as a distinct operational phase focused on scale, persistence, and propagation.
Fortinet first identifies RondoDox botnet activity
BleepingComputer said Fortinet first identified RondoDox in July 2025. By that point, the botnet had already been evolving its operations against exposed infrastructure.
RondoDox campaign begins reconnaissance and vulnerability testing
CloudSEK reported that the RondoDox botnet campaign started in March 2025 with reconnaissance and manual vulnerability testing against web applications and internet-exposed devices. This marked the first phase of a broader automated operation that later expanded to web servers and IoT targets.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
RondoDox Botnet Expands Scope With React2Shell Exploitation
darkreading.com
Open sourceRondoDox Botnet is Using React2Shell to Hijack Thousands of Unpatched Devices
hackread.com
Open sourceRondoDox Botnet Exploiting Devices With React2Shell Flaw
bankinfosecurity.com
Open sourceRondoDoX Botnet Weaponizing a Critical React2Shell Vulnerability to Deploy Malware
cybersecuritynews.com
Open sourceRondoDox Botnet Actively Exploits React2Shell Vulnerability (CVE-2025-55182) in Next.js and React Server Components
rescana.com
Open sourceRondoDox botnet exploits React2Shell flaw to breach Next.js servers
bleepingcomputer.com
Open sourceRondoDoX Botnet Weaponizes React2Shell | CloudSEK
cloudsek.com
Open sourceReact2Shell: Anatomy of a max-severity flaw that sent shockwaves through the web
csoonline.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exploitation of React2Shell Vulnerability by Botnets and Threat Actors
A critical unauthenticated remote code execution (RCE) vulnerability, identified as React2Shell (`CVE-2025-55182`), was disclosed in December 2025, affecting applications built with React Server Components and related frameworks such as Next.js. Public proof-of-concept exploits were released shortly after disclosure, enabling attackers to inject and execute arbitrary code on vulnerable systems. Security researchers and vendors, including Sysdig, responded by publishing detection guidance and threat bulletins, urging organizations to patch affected software, update dependencies, and monitor for signs of compromise. The vulnerability's severity and ease of exploitation have made it a high-priority target for both opportunistic and advanced threat actors. Notably, botnet operators, including those behind the RondoDox botnet, have begun actively targeting the React2Shell flaw to compromise systems at scale. Security advisories recommend immediate patching and enhanced monitoring, as exploitation attempts have increased rapidly following the public release of exploit code. The incident underscores the ongoing risk posed by supply chain and framework vulnerabilities, especially when widely used components are affected and attackers move quickly to weaponize new flaws.
Mar 21, 2026
React2Shell RCE in React Server Components Triggers Active Exploitation
A severe remote code execution vulnerability tracked as **`CVE-2025-55182`** was disclosed in **React Server Components** and quickly became known as **React2Shell**, with reporting indicating that exploitation spread soon after public disclosure. Security coverage from eSentire, BitSight, and Computer Weekly described the flaw as affecting React and Next.js environments, warned defenders to assess internet-exposed applications, and noted that attackers were moving from proof-of-concept activity toward broader exploitation. Public GitHub repositories rapidly appeared with exploit code, scanners, and remediation-focused projects, including tools explicitly labeled for **`CVE-2025-55182`** and **React2Shell** detection or exploitation. Repositories such as **`React2Shell-PoC`**, multiple **PoC scanners**, auto-exploit projects, and checkers lowered the barrier to weaponization, while at least one repository advertised fixes for React 19 users. The volume and speed of public tooling indicate that organizations running React Server Components or Next.js services faced immediate pressure to identify exposed systems, apply vendor fixes, and monitor for signs of remote code execution attempts.
May 25, 2026
Active Exploitation of React2Shell (CVE-2025-55182) in React Server Components
Threat actors are actively exploiting **React2Shell** (**CVE-2025-55182**), a critical remote code execution flaw in the Flight protocol used for client-server communication in **React Server Components**. The issue is attributed to **insecure deserialization** that can allow unauthorized code execution on vulnerable servers, with observed targeting across insurance, e-commerce, and IT organizations. Reported payloads include the **XMRig** cryptocurrency miner as well as multiple botnets and remote access tooling; campaigns observed against Russian entities deployed **RustoBot** and **Kaiji**, while other activity distributed malware such as **CrossC2**, **Tactical RMM**, **VShell**, and **EtherRAT**. Affected packages include `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` in versions **19.0**, **19.1.0**, **19.1.1**, and **19.2.0**, with fixes available in **19.0.1**, **19.1.2**, and **19.2.1**. Separate reporting highlighted that attackers leveraged a **public proof-of-concept (PoC)** for React2Shell and began targeting organizations within hours, reinforcing that rapid weaponization is now common; defenders are advised to patch and also perform post-patch validation, including checking for indicators of compromise, verifying *Next.js* and dependency versions, rebuilding projects after updates, and confirming lockfiles no longer reference vulnerable package versions.
Apr 9, 2026