When we write this article, we try not to discuss the same vulnerability twice in a row. So initially, the plan for this week was to talk about a run-of-the-mill XWiki exploit (a tried and tested strategy). However, after observing the past week of React2Shell exploitation, we think CVE-2025-55182 deserves a good follow-up.
The reason is this: When we published our report on React2Shell last week, we were seeing around 500 distinct attackers each day. Two days later, the number of attackers grew to around 5,000 per day. This surge peaked on December 11th, when the CrowdSec Network observed over 10,000 distinct attackers exploiting React2Shell.
To help security teams manage this onslaught, we also released a free Blocklist containing all the active IoCs we see targeting CVE-2025-55182. Instructions on how to add it to your stack can be found in the accompanying announcement post.
So this week, we are looking into React2Shell again, talking about what has changed and what has mostly stayed the same.
Key findings
- Since our last report, the number of attacking IPs has exploded from ~500 to over 10,000 attackers in a single day.
- Public Vulnerability Scanners have now picked up the vulnerability, ensuring that attackers have less and less meat to go around.
- Attackers have transitioned from using bespoke exploits to large-scale automated deployment of exploit kits with embedded crypto miners.
What is React2Shell?
React2Shell (CVE-2025-55182) is a critical Remote Code Execution (RCE) vulnerability in React Server Components. The vulnerability affects packages like `react-server-dom-webpack` and `react-server-dom-parcel`. These components are used by a big portion of all modern websites; in fact, there is a high chance that whatever site you’re currently reading this text from uses some variation of these packages on its backend. The vulnerability allows unauthenticated attackers to execute arbitrary code on the server. For businesses, this means that there is a direct path for attackers to steal customer data, install ransomware, or pivot deeper into the corporate network. The sheer volume of attacks indicates that this is no longer a targeted threat but a widespread campaign affecting anyone running vulnerable versions.
About CVE-2025-55182 (React2Shell)
The vulnerability stems from unsafe deserialization of user-supplied data during the server-side rendering process. Attackers can inject malicious payloads into HTTP headers, which the server then executes. There are various proof-of-concept attacks floating around, and the aftermath of the publication also saw a big surge in AI-hallucinated “exploits” published to sites like GitHub. While this made it harder for defenders to find working exploit code to build defences for, it seemingly also slowed down attackers who had to sift through the same pile of garbage code to find a script that actually worked. A working version of the attack can be found on the page of Lachlan Davidson, the researcher who originally disclosed the vulnerability.
Vulnerability Scanner Pickup
CrowdSec’s sizable threat intelligence Network also allows us to monitor when vulnerability scanners pick up a new vulnerability to scan for. For CVE-2025-55182, the first vulnerability scanner we observed was Leakix on the 5th of December. This detection came about 12 hours after we first started seeing attacks directed towards React2Shell. Scanning picked up over the rest of the week, we now also see providers such as BinaryEdge and the Shadowserver Foundation. The popular open source scanning kit Nuclei received a working detection rule on the 5th of December.
Trend analysis
Last week, we already warned that the attack wave for this vulnerability would be massive. This prediction has proven mostly correct. The number of distinct IPs participating in the attack jumped 25x in just a few days, from hundreds to over 10,000. This has put React2Shell in the number 2 spot in our leaderboard of most-exploited vulnerabilities. It is currently beaten only by a very old exploit used by the Mozi botnet.
This big explosion of attacks is mainly caused by shifting attacker behavior. Initially, most attacks were bespoke code written by competent and experienced hackers who had no public exploit code to go on. During this phase, they targeted sites with valuable connected assets, such as the websites of banks or healthcare institutions. The goal of these attackers is to persist in those networks. However, these high-value institutions are very quick to patch and remediate these issues, so by Monday, they were no longer good targets.
At this point, the attacker’s focus shifted to large, automated, spray-and-pray style campaigns. These campaigns mainly target small websites and personal blogs built on React Server Components. These targets are not very valuable by themselves, so attackers mainly use their access to deploy crypto mining software and potentially add vulnerable servers to their botnets. From our observations, we can conclude that these campaigns are the main drivers behind the big explosion of attacks that we saw last week.
How to protect your systems
- Update your React Server Components packages to the latest patched versions immediately. Check the official React advisory for specific version numbers.
- Deploy a Web Application Firewall (WAF) capable of inspecting and blocking malicious serialized objects in HTTP headers, such as the CrowdSec WAF.
- Subscribe to the CrowdSec blocklist for this CVE to automatically block IPs known to be exploiting this vulnerability.