React2Shell RCE in React Server Components Triggers Active Exploitation
A severe remote code execution vulnerability tracked as CVE-2025-55182 was disclosed in React Server Components and quickly became known as React2Shell, with reporting indicating that exploitation spread soon after public disclosure. Security coverage from eSentire, BitSight, and Computer Weekly described the flaw as affecting React and Next.js environments, warned defenders to assess internet-exposed applications, and noted that attackers were moving from proof-of-concept activity toward broader exploitation.
Public GitHub repositories rapidly appeared with exploit code, scanners, and remediation-focused projects, including tools explicitly labeled for CVE-2025-55182 and React2Shell detection or exploitation. Repositories such as React2Shell-PoC, multiple PoC scanners, auto-exploit projects, and checkers lowered the barrier to weaponization, while at least one repository advertised fixes for React 19 users. The volume and speed of public tooling indicate that organizations running React Server Components or Next.js services faced immediate pressure to identify exposed systems, apply vendor fixes, and monitor for signs of remote code execution attempts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Invicti expands React2Shell coverage to include CVE-2025-66478
Invicti published a technical write-up describing React2Shell as a critical RCE issue affecting React Server Components and Next.js, covering both CVE-2025-55182 and CVE-2025-66478. The article broadened public understanding of the issue beyond the original single-CVE disclosure before combined PoC tooling appeared publicly.
GitHub Gist publishes CVE-2025-55182 Python exploit code
A GitHub Gist titled "CVE-2025-55182.py" was published, indicating continued public circulation of exploit code for the React2Shell vulnerability. Its appearance shows offensive tooling for CVE-2025-55182 remained available and was still being repackaged after earlier PoC releases.
Additional CVE-2025-55182 PoC repository is published
Another GitHub proof-of-concept repository for CVE-2025-55182 was published, showing continued community replication and circulation of exploit code months after the initial disclosure. This reflects sustained public availability of offensive tooling for the flaw.
React2Shell combined PoC for CVE-2025-55182 and CVE-2025-66478 is published
A GitHub repository titled React2Shell-PoC was published with exploitation and scanning tools for CVE-2025-55182 and CVE-2025-66478 in Next.js and React Server Components. This expanded public exploit tooling beyond the initial December repositories.
Bitsight publishes initial analysis of React2Shell exploitations
Bitsight released an analysis focused on observed React2Shell exploitations tied to CVE-2025-55182. The report provided additional technical detail and evidence that exploitation activity had become significant enough to study separately.
Reports warn that React2Shell exploitation is spreading
Computer Weekly reported that security teams were on alert as exploitation of the React2Shell vulnerability spread. This marks an escalation from disclosure and proof-of-concept publication to active exploitation concerns.
Public exploit and scanner repositories for CVE-2025-55182 appear on GitHub
Multiple GitHub repositories publishing exploit code, scanners, and workaround material for CVE-2025-55182 were created or made public, including exploit, checker, scanner, and fix-themed projects. Their appearance indicates rapid public weaponization and defender interest immediately after disclosure.
eSentire discloses severe React Server Components RCE flaw CVE-2025-55182
eSentire published a security advisory describing CVE-2025-55182 as a severe remote code execution vulnerability affecting React Server Components. This appears to be the first referenced public disclosure of the flaw later dubbed React2Shell.
Sources
17 references tracked. Mallory keeps watching after this page renders.
GitHub - vick333-peniel/ReactExploitGUI: 🛠️ Exploit CVE-2025-55182 effortlessly with this GUI tool for vulnerability detection, command execution, and Shell reverse connections. · GitHub
github.com
Open sourceCVE-2025-55182.py · GitHub
gist.github.com
Open sourceGitHub - mooowu/cve-2025-55182-poc · GitHub
github.com
Open sourceGitHub - jensnesten/React2Shell-PoC: RCE exploit PoC for CVE-2025-55182 and CVE-2025-66478 in Next.js and React Server Components with scanner and exploitation tools. · GitHub
github.com
Open sourceGitHub - im-hanzou/CVE-2025-55182-POC-SCANNER: Unified Security Research Tool · GitHub
github.com
Open sourceSecurity advisory for React2Shell - Announcements - Vercel Community
community.vercel.com
Open sourceCVE-2025-55182 | NoHackMe
cve.nohackme.com
Open sourceReact2Shell: Critical RCE in React Server Components and Next.js (CVE-2025-55182, CVE-2025-66478)
invicti.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
React2Shell RCE in React Server Components Drives Mass Server Compromise
Threat actors are actively exploiting **React2Shell**, a critical remote code execution flaw in React Server Components tracked as `CVE-2025-55182`, with related exposure also noted in Next.js as `CVE-2025-66478`. The bug stems from insecure deserialization in the React Server Components Flight protocol and allows unauthenticated attackers to upload malicious payloads and execute arbitrary code on vulnerable internet-facing servers. Public disclosure was quickly followed by advisories, proof-of-concept code, and reports of broad exploitation, while Microsoft and other researchers said hundreds of machines had already been hacked. Follow-on campaigns have been widespread and largely opportunistic, ranging from credential-harvesting operations to malware deployment against organizations in multiple sectors and regions. Cisco Talos-linked reporting said at least **766 servers** were compromised by an automated campaign that stole SSH keys, cloud tokens, API keys, Kubernetes and GitHub credentials, Docker metadata, and other environment secrets, including keys tied to AI platforms and payment services. Other investigations tied exploitation to **XMRig**, **RustoBot**, **Kaiji**, **Sliver**, **CrossC2**, **Tactical RMM**, **VShell**, and **EtherRAT**, along with persistence, reconnaissance, DNS-based exfiltration, and SSH key installation, underscoring how rapidly the vulnerability was weaponized after disclosure.
May 25, 2026
React2Shell Remote Code Execution Vulnerability in React 19 and Next.js
A critical remote code execution vulnerability, dubbed **React2Shell**, was discovered in the React 19 library, specifically affecting React Server Components. The flaw allows unauthenticated attackers to execute arbitrary code on servers by sending crafted requests, making it a severe risk for organizations using default React and Next.js deployments. Within hours of public disclosure, security firms including Google’s Threat Intelligence Group and AWS confirmed active exploitation in the wild, highlighting the shrinking window between vulnerability awareness and real-world attacks. Researchers from Wiz and Unit 42 demonstrated that even clean, default deployments were susceptible, emphasizing the widespread impact due to the popularity of these frameworks. Threat actors rapidly weaponized the React2Shell vulnerability, with the RondoDoX botnet launching automated exploitation campaigns targeting both web applications and IoT devices. CloudSEK’s analysis of command and control logs revealed a multi-month campaign, with a significant spike in attacks following the vulnerability’s disclosure in December 2025. The RondoDoX botnet deployed various payloads, including web shells and cryptominers, and quickly adapted its infrastructure in response to security firm reports. Organizations with technology stacks overlapping the targeted vectors were promptly alerted, underscoring the urgent need for patching and monitoring in environments using React 19 and Next.js.
Mar 21, 2026
Exploitation of React2Shell Vulnerability by Botnets and Threat Actors
A critical unauthenticated remote code execution (RCE) vulnerability, identified as React2Shell (`CVE-2025-55182`), was disclosed in December 2025, affecting applications built with React Server Components and related frameworks such as Next.js. Public proof-of-concept exploits were released shortly after disclosure, enabling attackers to inject and execute arbitrary code on vulnerable systems. Security researchers and vendors, including Sysdig, responded by publishing detection guidance and threat bulletins, urging organizations to patch affected software, update dependencies, and monitor for signs of compromise. The vulnerability's severity and ease of exploitation have made it a high-priority target for both opportunistic and advanced threat actors. Notably, botnet operators, including those behind the RondoDox botnet, have begun actively targeting the React2Shell flaw to compromise systems at scale. Security advisories recommend immediate patching and enhanced monitoring, as exploitation attempts have increased rapidly following the public release of exploit code. The incident underscores the ongoing risk posed by supply chain and framework vulnerabilities, especially when widely used components are affected and attackers move quickly to weaponize new flaws.
Mar 21, 2026