React2Shell: A Critical Vulnerability With Global Impact – What Organizations Should Know

A newly disclosed vulnerability, React2Shell (CVE-2025-55182), is attracting significant attention across the digital landscape. The issue affects modern versions of React and Next.js, two core technologies behind a vast number of business applications, customer interfaces and digital services.

What makes this vulnerability particularly concerning is that attackers can exploit it without authentication, potentially enabling remote code execution on affected servers. As a result, React2Shell received a CVSS 10.0, the highest possible severity rating.

This blog provides a clear understanding of the issue, why it matters and what steps are advised, followed by the full technical analysis prepared by Cegeka’s security specialists.

For Cegeka Modern SOC customers, those actions have already been taken and can be tracked via the Horizon observability platform and their respective Security Advisors.

Understanding React2Shell  

React and Next.js are widely used frameworks for building modern digital experiences. The vulnerability resides in a part of these frameworks called React Server Components, used in:

• React 19.x
• js 15.x and 16.x with the App Router

A crucial insight for organizations is that applications may be vulnerable even if they are not actively using server functions. If React Server Components are supported, risk may still exist.

Shortly after the vulnerability was disclosed on November 29, exploitation attempts were already observed:

• December 4: first exploitation activity
• December 5: several researchers published proof-of-concept exploit code
• Multiple threat actors, including Earth Lamia and Jackpot Panda, began probing targets

This rapid progression underscores the importance of timely assessment and remediation.

Why this matters for organizations

Many organizations rely on digital systems built with React or Next.js, directly or through partners, vendors or SaaS platforms. A vulnerability in such a broadly adopted technology introduces several risks:

• Potential compromise of application servers
• Unauthorized access to data
• Disruption of services
• The possibility of attackers gaining a foothold inside broader environments
  

Even if your organization is not developing applications internally, it is essential to confirm whether third-party solutions or suppliers rely on affected components.

Recommended steps for organizations

Although each environment is different, several general recommendations apply:

1. Identify where React and Next.js are used

Determine whether your organization, or your suppliers, use React 19.x or Next.js 15.x/16.x (App Router).

2. Apply the available patches

Updated, patched versions have been released by both React and Vercel (Next.js).

3. Strengthen monitoring and detection

Given ongoing exploitation activity, organizations should ensure robust monitoring is in place, including WAF rules, endpoint visibility and log analysis.

4. Review historical logs

Because attacks started before broad public awareness, reviewing previous activity for indicators of compromise is advised.

Technical Details

The following section contains the detailed technical threat summary, detection guidance and indicators of compromise as prepared by our Cegeka Modern SOC experts.

Threat Summary

A deserialization vulnerability affecting React Server Components in React 19.x and Next.js 15.x/16.x with the App Router was disclosed by security researcher Lachlan Davidson on November 29.

Applications may be vulnerable even if server functions are not explicitly used, as long as React Server Components are supported.

Successful exploitation can lead to unauthenticated remote code execution, resulting in a CVSS 10.0 severity rating.

Proof-of-concept exploit code has been publicly available since December 5, and exploitation attempts have been traced back to December 4. Both opportunistic attackers and advanced state-linked threat groups – Including Earth Lamia and Jackpot Panda – have been observed attempting to exploit the vulnerability.

Below are our recommendations in terms of response actions and detection logic to be deployed. For Cegeka Modern SOC customers, those actions have already been taken and can be tracked via the Horizon observability platform and their respective Security Advisors.

Recommendations

• Identify and update vulnerable React/Next.js applications (f.e. through Vulnerability Scanning);
• Deploy WAF and/or web server access log-based signatures for TTPs + IOCs to detect/block exploitation attempts;
• Deploy end-point signatures for TTPs + IOCs to detect/block exploitation attempts;
• Hunt for exploitation attempts through TTPs and IOCs in the available data sources over the full retention period.

TTPs for WAF/web server access log-based detection signatures

• HTTP POST requests to application endpoints with ‘next-action’ or ‘rsc-action-id’ headers;
• Request bodies containing ‘$@’ patterns;
• Request bodies containing ‘"status":"resolved_model"’ patterns.

TTPs for End-point detection signatures

• New processes spawned by Node.js/React application processes;
• Unexpected execution of reconnaissance commands (whoami, id, uname);
• Attempts to read /etc/passwd;
• Suspicious file writes to /tmp/ directory (for example, pwned.txt).

IOCs 

206[.]237.3.150 (Earth Lamia)
45[.]77.33.136 (Jackpot Panda)
143[.]198.92.82 (Anonymization Network)
183[.]6.80.214 (Unattributed threat cluster)

Sources

https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-v…
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-…
https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-…
https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
https://react2shell.com/
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc/blob/main/01-submitted-poc.js
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-v…
https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657
https://www.crowdstrike.com/adversaries/jackpot-panda/
https://blog.sekoia.io/bulbature-beneath-the-waves-of-gobrat/#h-orbs
https://github.com/assetnote/react2shell-scanner
https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
https://github.com/search?q=CVE-2025-55182+AND+PoC+OR+POC&type=repositories