React2Shell Vulnerability Now Weaponized in Ransomware Campaigns

The critical React Server Components vulnerability tracked as CVE-2025-55182—nicknamed "React2Shell"—has transitioned from proof-of-concept to active ransomware operations. Threat actors are now using the flaw as an initial access vector, with the Weaxor ransomware group among those leveraging the vulnerability to compromise organizations at scale.

TL;DR

• What happened: CVE-2025-55182 is being exploited in ransomware campaigns as an initial access vector
• Who's affected: Any organization running vulnerable React 19.x or Next.js 14.3+/15.x/16.x with App Router
• Severity: Critical (unauthenticated RCE) - 39% of cloud environments contain vulnerable instances
• Action required: Immediately patch React to 19.0.1/19.1.2/19.2.1 and Next.js to latest stable releases

What is CVE-2025-55182?

CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability in React Server Components' "Flight" protocol. The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attackers to execute arbitrary code on vulnerable servers with a single specially crafted HTTP request.

The vulnerability affects:

• React packages: react-server-dom versions 19.0.x, 19.1.x, 19.2.x
• Next.js with App Router: versions 14.3.0-canary.77 and later, all 15.x, all 16.x
• Other RSC frameworks: Vite RSC, Parcel RSC, React Router RSC, RedwoodSDK, Waku

According to Wiz Research, 39% of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182. The vulnerability affects default configurations—standard Next.js applications created with create-next-app are immediately exploitable without any code modifications.

How Exploitation Has Evolved

Initial exploitation of React2Shell began on December 5, 2025, shortly after public disclosure. Early campaigns focused on:

• Credential harvesting from environment variables and cloud metadata
• Installation of the Sliver malware framework for persistent access
• Multiple cryptocurrency mining operations using XMRig variants

Ransomware Adoption

The vulnerability's reliability and broad attack surface attracted ransomware operators. Microsoft reported that hundreds of organizations have been compromised, with 60+ confirmed victims across multiple sectors. The Weaxor ransomware group—assessed as a rebrand of the Mallox ransomware operation—has incorporated React2Shell into their initial access toolkit.

"This attack allows near-100% success rate against vulnerable targets," noted Wiz researchers. The combination of no authentication requirement, simple HTTP-based exploitation, and widespread vulnerability makes React2Shell an attractive alternative to traditional initial access methods like phishing or VPN exploitation. BYOVD (Bring Your Own Vulnerable Driver) keeps showing up in ransomware operations—Osiris ransomware used the Poortry driver to disable EDR before deploying its payload.

Why This Matters

React2Shell represents a perfect storm for attackers:

1. Massive attack surface - React and Next.js power millions of web applications
2. Default vulnerable configurations - No special setup required to be exploitable
3. Simple exploitation - Single HTTP request achieves code execution
4. High-value targets - React applications often process sensitive data and connect to internal systems
5. Cloud prevalence - Many vulnerable applications run in cloud environments with access to metadata services

The transition from opportunistic cryptocurrency mining to ransomware operations indicates threat actors recognize the vulnerability's potential for high-impact attacks against enterprise targets. Botnet operators have also weaponized the flaw—the RondoDox botnet is actively scanning for vulnerable React applications among 90,000+ exposed servers.

Patched Versions

Organizations should upgrade to these patched releases immediately:

React

• 19.0.1
• 19.1.2
• 19.2.1

Next.js

• 14.x stable (not canary)
• 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7
• 16.0.7

Recommended Mitigations

1. Patch immediately - Update React and Next.js dependencies to patched versions
2. Audit RSC usage - Identify all applications using React Server Components
3. Check framework dependencies - Verify RSC-enabled frameworks bundle updated react-server packages
4. Implement WAF rules - Deploy web application firewall rules to detect malformed RSC payloads
5. Monitor for IOCs - Watch for Sliver framework indicators and unusual outbound connections
6. Rotate credentials - Assume environment variables on unpatched systems may be compromised

Frequently Asked Questions

Is my React application vulnerable? If you're using React Server Components (introduced in React 19) or Next.js with the App Router (versions 14.3+ canary, 15.x, or 16.x), your application may be vulnerable. Standard client-side React applications without RSC are not affected.

How can I check if I've been compromised? Review web server logs for unusual POST requests to RSC endpoints. Look for unexpected processes, outbound connections, or newly created files on application servers. Check for signs of credential access from cloud metadata services.

Why is this vulnerability so severe? The combination of unauthenticated access, remote code execution, trivial exploitation, and widespread deployment creates a critical risk. Attackers can go from zero access to full server compromise with a single HTTP request.

---

Sources: Wiz Research, The Hacker News, Unit 42