Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations across multiple sectors.
React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement React Server Components, including Next.js, which uses the same deserialization logic.
React disclosed the vulnerability on December 3, explaining that unsafe deserialization of client-controlled data inside React Server Components enables attackers to trigger remote, unauthenticated execution of arbitrary commands.
Developers are required to update React to the latest version, rebuild their applications, and then redeploy to fix the vulnerability.
On December 4, security researcher Maple3142 published a working proof-of-concept demonstrating remote command execution against unpatched servers. Soon after, scanning for the flaw accelerated as attackers and researchers began using the public exploit with automated tools.
Over 77,000 vulnerable IP addresses
Shadowserver Internet watchdog group now reports that it has detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States.
Geographic distribution of vulnerable IP addresses
Source: ShadowServer
The researchers determined that IP addresses were vulnerable using a detection technique developed by Searchlight Cyber/Assetnote, where an HTTP request was sent to servers to exploit the flaw, and a specific response was checked to confirm whether a device was vulnerable.
... continue reading