Cybercrime,
Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Vercel Issues Warning: Two Additional Vulnerabilities in React Server Components Urgently Require Patching
Experts warn that the React2Shell vulnerability is being exploited en masse by state-sponsored attackers connected to China, North Korea, and Iran, in addition to financially motivated criminal groups.
Registered as CVE-2025-55182, this vulnerability impacts all versions of the Meta-developed open-source React framework from version 19, launched in November 2024.
A surge in attacks targeting React2Shell was reported following the patch release on December 3, with significant incidents on December 8, particularly affecting the construction and entertainment sectors, according to the threat intelligence firm Huntress.
GreyNoise observed 669 unique IP addresses attempting to exploit React2Shell within a single day, highlighting a trend where approximately 70% of about 2,300 tracked IP addresses began attacks after December 4, coinciding with the emergence of working proof-of-concept exploits.
The appeal of this flaw to attackers lies in its ease of exploitation, enabling unauthenticated users to execute arbitrary code on vulnerable servers with a single HTTP request, according to threat researchers at Google Cloud.
Attacks range from opportunistic cryptominers to advanced malware deployments utilizing persistent backdoors, such as Sliver, an open-source command-and-control tool.
React’s extensive use in major platforms such as Airbnb, Meta, Netflix, Shopify, and Uber underscores the potential impact. Attackers are specifically targeting the cloud frameworks that support critical business applications, increasing the urgency for businesses to patch affected software.
Further complicating matters, vulnerabilities have been discovered in related frameworks such as Next.js. Vercel has announced the urgency of addressing these flaws, including a critical severity denial-of-service vulnerability tracked as CVE-2025-55184, and another for source code exposure, referenced as CVE-2025-55183.
Research indicates that the initial fix for CVE-2025-55184 was inadequate, leading to another vulnerability (CVE-2025-67779). These flaws affect React versions 19.0.0 to 19.2.1 and Next.js versions 13.x to 16.x. Vercel urges immediate upgrades for those on affected versions, regardless of existing security measures.
In terms of potential attack vectors, the MITRE ATT&CK framework suggests tactics such as initial access, privilege escalation, and exploitation could have been leveraged during these attacks, particularly considering the vulnerabilities inherent in widely used frameworks.
