A newly disclosed vulnerability, React2Shell (CVE-2025-55182), is attracting significant attention across the digital landscape. The issue affects modern versions of React and Next.js, two core technologies behind a vast number of business applications, customer interfaces and digital services.
What makes this vulnerability particularly concerning is that attackers can exploit it without authentication, potentially enabling remote code execution on affected servers. As a result, React2Shell received a CVSS 10.0, the highest possible severity rating.
This blog provides a clear understanding of the issue, why it matters and what steps are advised, followed by the full technical analysis prepared by Cegeka’s security specialists.
For Cegeka Modern SOC customers, those actions have already been taken and can be tracked via the Horizon observability platform and their respective Security Advisors.
React and Next.js are widely used frameworks for building modern digital experiences. The vulnerability resides in a part of these frameworks called React Server Components, used in:
A crucial insight for organizations is that applications may be vulnerable even if they are not actively using server functions. If React Server Components are supported, risk may still exist.
Shortly after the vulnerability was disclosed on November 29, exploitation attempts were already observed:
This rapid progression underscores the importance of timely assessment and remediation.
Many organizations rely on digital systems built with React or Next.js, directly or through partners, vendors or SaaS platforms. A vulnerability in such a broadly adopted technology introduces several risks:
Even if your organization is not developing applications internally, it is essential to confirm whether third-party solutions or suppliers rely on affected components.
Although each environment is different, several general recommendations apply:
Determine whether your organization, or your suppliers, use React 19.x or Next.js 15.x/16.x (App Router).
Updated, patched versions have been released by both React and Vercel (Next.js).
Given ongoing exploitation activity, organizations should ensure robust monitoring is in place, including WAF rules, endpoint visibility and log analysis.
Because attacks started before broad public awareness, reviewing previous activity for indicators of compromise is advised.
The following section contains the detailed technical threat summary, detection guidance and indicators of compromise as prepared by our Cegeka Modern SOC experts.
A deserialization vulnerability affecting React Server Components in React 19.x and Next.js 15.x/16.x with the App Router was disclosed by security researcher Lachlan Davidson on November 29.
Applications may be vulnerable even if server functions are not explicitly used, as long as React Server Components are supported.
Successful exploitation can lead to unauthenticated remote code execution, resulting in a CVSS 10.0 severity rating.
Proof-of-concept exploit code has been publicly available since December 5, and exploitation attempts have been traced back to December 4. Both opportunistic attackers and advanced state-linked threat groups – Including Earth Lamia and Jackpot Panda – have been observed attempting to exploit the vulnerability.
Below are our recommendations in terms of response actions and detection logic to be deployed. For Cegeka Modern SOC customers, those actions have already been taken and can be tracked via the Horizon observability platform and their respective Security Advisors.
206[.]237.3.150 (Earth Lamia)
45[.]77.33.136 (Jackpot Panda)
143[.]198.92.82 (Anonymization Network)
183[.]6.80.214 (Unattributed threat cluster)
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-v…
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-…
https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-…
https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
https://react2shell.com/
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc/blob/main/01-submitted-poc.js
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-v…
https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657
https://www.crowdstrike.com/adversaries/jackpot-panda/
https://blog.sekoia.io/bulbature-beneath-the-waves-of-gobrat/#h-orbs
https://github.com/assetnote/react2shell-scanner
https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
https://github.com/search?q=CVE-2025-55182+AND+PoC+OR+POC&type=repositories