Attackers Use New Tool to Scan for React2Shell Exposure

React2Shell (CVE-2025-55182) is a critical remote code execution vulnerability affecting React Server Components and Next.js applications. It stems from insecure deserialization in the React Flight protocol, which handles how servers process incoming requests. The vulnerability is particularly severe because it requires no authentication—attackers need only send a single malicious HTTP request to execute arbitrary code on the server with the same privileges as the application itself. This can allow threat actors to access sensitive data, alter application behavior, or fully compromise the server environment. As of December 8, 2025, researchers identified over 165,000 vulnerable IP addresses and 644,000 domains.

Threat actors have developed sophisticated scanning and exploitation toolkits to identify vulnerable React2Shell deployments at scale. Researchers have identified nearly 145 in-the-wild proof-of-concept exploits with varying levels of sophistication, including features designed to bypass Web Application Firewalls (WAFs) and automated mass-scanning capabilities. Once vulnerabilities are identified, attackers execute a multi-stage exploitation chain: they craft malicious HTTP requests that exploit the insecure deserialization process, establish reverse shells to command-and-control servers, and then deploy persistence mechanisms such as malicious user accounts, remote monitoring tools, and modified system files. Post-exploitation activities show attackers focusing on credential harvesting (targeting npm, AWS, Docker, Git, and SSH credentials) and accessing cloud metadata, indicating a shift from opportunistic attacks to targeted, long-term compromise of high-value networks.