“React2Shell” Crisis: Critical Vulnerability Triggers Global Cyberattacks by State-Sponsored Groups

A critical security flaw in the popular React web framework has ignited a wave of cyberattacks, with state-sponsored actors and cybercriminals rushing to exploit the vulnerability before organizations can patch. The flaw, dubbed “React2Shell” (CVE-2025-55182), carries a maximum CVSS score of 10.0, allowing attackers to take full control of servers without any authentication.

Unit 42 researchers at Palo Alto Networks have observed a flurry of post-exploitation activity, linking attacks to North Korean and Chinese state-nexus groups who are pivoting from reconnaissance to full-scale compromise.

The vulnerability lies in the “Flight” protocol used by React Server Components (RSC) and the widely used Next.js framework. The flaw is an “insecure deserialization” bug—essentially, the server blindly trusts data sent by the attacker, executing it as code.

“The attack complexity is low. It requires no user interaction and no privileges (unauthenticated),” the report warns. Exploitation is shockingly reliable, with a “near-100% reliability” rate against default configurations.

The world’s most dangerous threat actors are actively exploiting this flaw:

• North Korea (DPRK): The group UNC5342 is using the chaos to deploy EtherRAT via the EtherHiding technique. This sophisticated method uses blockchain transactions to hide malicious payloads, making them nearly impossible to take down. “EtherHiding leverages blockchain technology to store and retrieve malicious payloads,” turning decentralized ledgers into bulletproof command-and-control servers.
• China (PRC): A cluster tracked as CL-STA-1015, suspected to have ties to the PRC’s Ministry of State Security, is using the flaw to install SNOWLIGHT and VShell trojans. Their activity involves “fileless execution of a malicious shell script” to minimize forensic footprints.
• Opportunistic Hackers: Beyond espionage, attackers are installing cryptominers, Cobalt Strike beacons, and Noodle RAT backdoors to monetize their access.

Once inside, attackers move fast. Automated scripts are being used to “rapidly fingerprint compromised systems, verify privilege levels, [and] map network interfaces”.

In one observed attack chain, the threat actors used wget and curl to download a malicious script named sex.sh and a Linux dropper, ensuring persistence on the infected machine. Another instance involved the deployment of an interactive webshell disguised as a “React File Manager,” granting attackers the ability to browse directories and steal sensitive API keys.

The vulnerability affects React versions 19.0 through 19.2 and Next.js versions 15.x and 16.x.

Organizations must upgrade immediately:

• React: Upgrade to 19.0.1, 19.1.2, or 19.2.1.
• Next.js: Upgrade to the latest stable patched versions (e.g., 16.0.7, 15.5.7).

Related Posts:

• “React2Shell” Storm: China-Nexus Groups Weaponize Critical React Flaw Hours After Disclosure
• Google Flights’ New AI Tool Simplifies Travel Planning and Finds The Cheapest Flights
• Google Plans EU Search Overhaul to Avoid DMA Fines, Will Display Rivals “Equally” to Google Flights/Hotels
• AI Mode Upgraded: Google Launches Canvas for Planning and Agentic Booking for Reservations