React2Shell: A Critical Vulnerability With Global Impact – What Organizations Should Know

A newly disclosed vulnerability, React2Shell (CVE-2025-55182), is attracting significant attention across the digital landscape. The issue affects modern versions of React and Next.js, two core technologies behind a vast number of business applications, customer interfaces and digital services.

What makes this vulnerability particularly concerning is that attackers can exploit it without authentication, potentially enabling remote code execution on affected servers. As a result, React2Shell received a CVSS 10.0, the highest possible severity rating.

This blog provides a clear overview of the issue, explains why it matters, and provides a full technical analysis along with the recommended steps prepared by Cegeka’s security specialists.

For Cegeka Modern SOC customers, those actions have already been taken and can be tracked via the Horizon observability platform and their respective Security Advisors.

Understanding React2Shell

React and Next.js are widely used frameworks for building modern digital experiences. The vulnerability resides in a part of these frameworks called React Server Components, used in:

• React 19.x
• Next.js 15.x and 16.x with the App Router

A crucial insight for organizations is that applications may be vulnerable even if they are not actively using server functions. If React Server Components are supported, organizations are inherently at risk.

Shortly after the vulnerability was disclosed on November 29, exploitation attempts were already observed:

• December 4: first exploitation activity
• December 5: several researchers published proof-of-concept exploit code
• Multiple threat actors, including Earth Lamia and Jackpot Panda, began probing targets

This rapid progression underscores the importance of timely assessment and remediation.

Why this matters for organizations

Many organizations rely on digital systems built with React or Next.js, directly or through partners, vendors or SaaS platforms. A vulnerability in such a broadly adopted technology introduces several risks:

• Potential compromise of application servers
• Unauthorized access to data
• Disruption of services
• The possibility of attackers gaining a foothold inside broader environments
  

Even if your organization is not developing applications internally, it is essential to confirm whether third-party solutions or suppliers rely on affected components.

Technical Details

The following section contains the detailed technical threat summary, detection guidance and indicators of compromise as prepared by our Cegeka Modern SOC experts.

Threat Summary

A deserialization vulnerability affecting React Server Components in React 19.x and Next.js 15.x/16.x with the App Router was disclosed by security researcher Lachlan Davidson on November 29.

Applications may be vulnerable even if server functions are not explicitly used, as long as React Server Components are supported.

Successful exploitation can lead to unauthenticated remote code execution, resulting in a CVSS 10.0 severity rating.

Proof-of-concept exploit code has been publicly available since December 5, and exploitation attempts have been traced back to December 4. Both opportunistic attackers and advanced state-linked threat groups – Including Earth Lamia and Jackpot Panda – have been observed attempting to exploit the vulnerability.

Below are our recommendations in terms of response actions and detection logic to be deployed. For Cegeka Modern SOC customers, those actions have already been taken and can be tracked via the Horizon observability platform and their respective Security Advisors.

Recommendations

• Identify and update vulnerable React/Next.js applications (f.e. through Vulnerability Scanning);
• Deploy WAF and/or web server access log-based signatures for TTPs + IOCs to detect/block exploitation attempts;
• Deploy end-point signatures for TTPs + IOCs to detect/block exploitation attempts;
• Hunt for exploitation attempts through TTPs and IOCs in the available data sources over the full retention period.

TTPs for WAF/web server access log-based detection signatures

• HTTP POST requests to application endpoints with ‘next-action’ or ‘rsc-action-id’ headers;
• Request bodies containing ‘$@’ patterns;
• Request bodies containing ‘"status":"resolved_model"’ patterns.

TTPs for End-point detection signatures

• New processes spawned by Node.js/React application processes;
• Unexpected execution of reconnaissance commands (whoami, id, uname);
• Attempts to read /etc/passwd;
• Suspicious file writes to /tmp/ directory (for example, pwned.txt).

IOCs 

206[.]237.3.150 (Earth Lamia)
45[.]77.33.136 (Jackpot Panda)
143[.]198.92.82 (Anonymization Network)
183[.]6.80.214 (Unattributed threat cluster)

Sources

https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-v…
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-…
https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-…
https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
https://react2shell.com/
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc/blob/main/01-submitted-poc.js
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-v…
https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657
https://www.crowdstrike.com/adversaries/jackpot-panda/
https://blog.sekoia.io/bulbature-beneath-the-waves-of-gobrat/#h-orbs
https://github.com/assetnote/react2shell-scanner
https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
https://github.com/search?q=CVE-2025-55182+AND+PoC+OR+POC&type=repositories