Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dcontesti
Community Champion
a week ago
a week ago

React2Shell flaw exploited to breach 30 orgs, 77k IP addresses vulnerable

A CVSS 10.0 vulnerability (CVE-2025-55182, dubbed "React2Shell") allowing unauthenticated remote code execution due to unsafe deserialization in React Server Components was reported on November 29, 2025, and has since been confirmed as actively exploited worldwide. The flaw was publicly disclosed and patched on Wednesday, December 3, but reports from AWS honeypots and analysis from GreyNoise and Shadowserver, among others, confirm "opportunistic" exploitation by multiple threat actors believed to be Chinese state-sponsored groups. These attacks use "both automated scanning tools and individual PoC exploits," some of which leverage "public PoCs that don’t actually work in real-world scenarios ... demonstrat[ing] fundamental misunderstandings of the vulnerability,” according to AWS, who posit that the threat actors are prioritizing speed over accuracy, relying on a high volume of scans, abusing the availability of even ineffective public exploits, and potentially benefitting from masking by noise generated in failed attempts. The default configuration of React and downstream Next.js are vulnerable; Shadowserver reported 77,664 vulnerable IPs observed on December 6, and Censys has observed "just over 2.15 million instances of internet facing services that may be affected by this vulnerability," emphasizing that "any internet‑accessible server running affected React Server Components code should be assumed vulnerable until updated as a precaution." Users are urged to update immediately, and federal agencies must do so by December 26, as the flaw has been added to the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog. Meanwhile, Cloudflare CTO Dane Knecht reports that a global Cloudflare outage on Friday, December 5, affecting about 28 percent of HTTP traffic served by Cloudflare, was "triggered by changes being made to [Cloudflare's] body parsing logic" while the provider was implementing detections and mitigations for the React flaw in its Web Application Firewall (WAF).

 

You can read more here:

 

https://bit.ly/4poNTvP

 

Or here

 

https://bit.ly/3KFBuVl

 

Labels
Reply
0 Replies