Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations across multiple sectors.
React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement React Server Components, including Next.js, which uses the same deserialization logic.
React disclosed the vulnerability on December 3, explaining that unsafe deserialization of client-controlled data inside React Server Components enables attackers to trigger remote, unauthenticated execution of arbitrary commands.
Developers are required to update React to the latest version, rebuild their applications, and then redeploy to fix the vulnerability.
On December 4, security researcher Maple3142 published a working proof-of-concept demonstrating remote command execution against unpatched servers. Soon after, scanning for the flaw accelerated as attackers and researchers began using the public exploit with automated tools.
Over 77,000 vulnerable IP addresses
Shadowserver Internet watchdog group now reports that it has detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States.
Geographic distribution of vulnerable IP addresses
Source: ShadowServer
The researchers determined that IP addresses were vulnerable using a de
React cybersecurity rating report: https://www.rankiteo.com/company/reactofficial
"id": "REA1765051268",
"linkid": "reactofficial",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': None,
'industry': None,
'location': 'Global (23,700 vulnerable '
'IPs in the United States)',
'name': None,
'size': None,
'type': 'Organization'}],
'attack_vector': 'Unauthenticated HTTP request',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'date_publicly_disclosed': '2024-12-03',
'description': 'Over 77,000 Internet-exposed IP addresses are '
'vulnerable to the critical React2Shell remote '
'code execution flaw (CVE-2025-55182). Attackers '
'have already compromised over 30 organizations '
'across multiple sectors. React2Shell is an '
'unauthenticated remote code execution '
'vulnerability exploitable via a single HTTP '
'request, affecting frameworks implementing React '
'Server Components, including Next.js. The flaw '
'arises from unsafe deserialization of '
'client-controlled data, enabling remote, '
'unauthenticated execution of arbitrary commands.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'Remote command execution, '
'potential full system '
'compromise',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'React Server Components (Next.js '
'and similar frameworks)'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Patch '
'management, '
'secure coding '
'practices, '
'vulnerability '
'scanning',
'root_causes': 'Unsafe '
'deserialization of '
'client-controlled '
'data in React Server '
'Components'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': 'Update React to the latest version, rebuild '
'applications, and redeploy. Monitor for '
'exploitation attempts and apply '
'network-level protections.',
'references': [{'date_accessed': None,
'source': 'React Security Advisory',
'url': None},
{'date_accessed': None,
'source': 'Shadowserver Internet Watchdog Group',
'url': None},
{'date_accessed': None,
'source': 'Maple3142 Proof-of-Concept Exploit',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': 'Update React to the latest '
'version, rebuild and '
'redeploy applications',
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Patch management, '
'vulnerability scanning',
'third_party_assistance': None},
'title': 'React2Shell Remote Code Execution Vulnerability '
'(CVE-2025-55182)',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-55182 (React2Shell)'}