Critical React2shell Flaw Added To Cisa Kev After Confirmed Active...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.
The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an unauthenticated attacker without requiring any special setup. It's also tracked as React2Shell.
"Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," CISA said in an advisory.
The problem stems from insecure deserialization in the library's Flight protocol, which React uses to communicate between a server and client. As a result, it leads to a scenario where an unauthenticated, remote attacker can execute arbitrary commands on the server by sending specially crafted HTTP requests.
"The process of converting text into objects is widely considered one of the most dangerous classes of software vulnerabilities," Martin Zugec, technical solutions director at Bitdefender, said. "The React2Shell vulnerability resides in the react-server package, specifically in how it parses object references during deserialization."
The vulnerability has been addressed versions 19.0.1, 19.1.2, and 19.2.1 of the following libraries -
Some of the downstream frameworks that depend on React are also impacted. This includes: Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK.
The development comes after Amazon reported that it observed attack attempts originating from infrastructure associated with Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of public disclosure of the flaw. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz have also reported seeing exploitation efforts targeting the flaw, indicating that multiple threat actors are engaging in opportunistic attacks.
Some of the attacks have involved the deployment of cryptocurrency miners, as well as the execution of "cheap math" PowerShell commands to ascertain successful exploitation, followed by running commands to drop in-memory downloaders capable of retrieving an additional payload from a remote server.
According to data shared by attack surface management platform Censys, there are about 2.15 million instances of internet-facing service
Source: The Hacker News
