A new vulnerability in the React framework has left over 77,000 internet-exposed IP addresses open to exploitation. The React2Shell remote code execution flaw (CVE-2025-55182) can be triggered via a single HTTP request and affects all frameworks that use React Server Components, including Next.js.
Researchers have confirmed that attackers have already compromised over 30 organizations across multiple sectors using this vulnerability. Companies like Cloudflare have rolled out emergency detections and mitigations to address the issue, but an initial update caused an outage affecting numerous websites.
To fix the vulnerability, developers must update React to the latest version, rebuild their applications, and redeploy them. The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches by December 26, 2025.
As a result of this vulnerability, threat actors have been using automated tools to scan for the React2Shell flaw. GreyNoise reported 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most traffic originating from the Netherlands, China, and the US.
Companies should take immediate action to patch the vulnerability and review their logs for signs of PowerShell or shell command execution.
Source: https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable