React2Shell Alert: 766 Cloud Hosts Breached via CVE-2025-55182

Apr 7, 2026 · 3 min read cybersecuritycloudsecurityvulnerabilityreactnextjs

The Most Critical Web Framework Vulnerability of the Year

Security teams across the globe are scrambling to respond to what researchers have dubbed React2Shell — a critical remote code execution vulnerability in React Server Components (CVE-2025-55182) that carries the maximum CVSS score of 10.0.

As of April 2026, at least 766 cloud-hosted applications across multiple providers have been confirmed compromised in a large-scale credential harvesting campaign. And the numbers are still climbing.

What Is React2Shell?

The vulnerability lives in the react-server package and its implementation of the RSC Flight protocol. When a server receives a specially crafted HTTP POST payload, it fails to validate the data structure properly. This insecure deserialization flaw allows attackers to inject and execute arbitrary JavaScript code on the server — with no authentication required.

The attack is devastatingly simple:

  • No credentials needed — works against default configurations
  • Near 100% reliability — exploit succeeds on virtually every vulnerable target
  • Low complexity — public proof-of-concept code is readily available
  • No user interaction — fully automated exploitation

Who Is Affected?

The vulnerability impacts React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 and extends to major frameworks built on React Server Components:

  • Next.js (App Router)
  • React Router
  • Waku
  • Parcel RSC
  • Vite RSC Plugin
  • Redwood SDK (rwsdk)

If your application uses any of these frameworks with server-side rendering and React Server Components, you are potentially at risk.

Active Exploitation by Nation-State Actors

Within hours of the public disclosure on December 3, 2025, Amazon threat intelligence teams observed active exploitation by multiple China-nexus state-sponsored groups, including Earth Lamia and Jackpot Panda.

The campaign follows a consistent pattern:

  1. Automated scanning for vulnerable React Server Components endpoints
  2. Base64-encoded command injection via the deserialization flaw
  3. Credential harvesting from environment variables, config files, and cloud metadata services
  4. Lateral movement using stolen cloud provider credentials (AWS keys, Azure tokens)
  5. Persistence through backdoor installation and scheduled tasks

Palo Alto Unit 42 has confirmed multiple attack vectors in post-exploitation activity, with attackers specifically targeting cloud provider credentials stored in application environments.

Immediate Remediation Steps

1. Patch immediately. Upgrade React to one of the fixed versions:

  • React 19.0.1 (patches 19.0)
  • React 19.1.2 (patches 19.1.x)
  • React 19.2.1 or later (patches 19.2.x)

2. Audit your environment. Check for indicators of compromise:

  • Unexpected outbound connections from your web servers
  • Base64-encoded strings in server access logs
  • New or modified cron jobs and scheduled tasks
  • Unauthorized access to cloud metadata endpoints (169.254.169.254)

3. Rotate credentials. If you were running a vulnerable version:

  • Rotate all API keys, database credentials, and cloud provider tokens
  • Revoke and regenerate any secrets stored in environment variables
  • Review cloud IAM logs for unauthorized access patterns

4. Enable WAF rules. Deploy Web Application Firewall rules to block malformed RSC Flight protocol payloads as an additional defense layer while patching is completed.

The CloudShieldSecure Perspective

This vulnerability underscores a critical reality of modern cloud security: your application frameworks are part of your attack surface. Many organizations focus their security monitoring on infrastructure and network layers while overlooking the frameworks and libraries their applications depend on.

CloudShieldSecure treats the full application stack — from framework dependencies to cloud infrastructure — as a unified security domain. Vulnerabilities like React2Shell demonstrate why dependency-aware security posture management is not optional anymore.

Key Takeaways

React2Shell is a wake-up call for any organization running React Server Components in production. The combination of maximum severity, trivial exploitability, and active nation-state exploitation makes this a patch-now situation.

Do not wait for your next maintenance window. Check your React version today.

Sources: The Hacker News, Palo Alto Unit 42, AWS Security Blog, Google Cloud Threat Intelligence, Microsoft Security Blog, Trend Micro Research

Assess your security posture today

CloudShield Secure scans, validates, and prioritises threats across your entire attack surface.

Explore CloudShield Secure →
The Cloud Security Complexity Gap: Why Tool Sprawl … →