React2Shell Zero-Day Actively Exploited to Launch Widespread React Server Attacks

Google has issued an alert about the React2Shell flaw and warned that multiple advanced threat groups are actively exploiting the vulnerability. Cybercriminals are exploiting this zero-day to deploy backdoors, miners, and espionage tools across vulnerable React-based systems worldwide.

This remote code execution vulnerability (RCE) (CVE‑2025‑55182) in React Server Components (dubbed React2Shell) was first disclosed on December 3. It could allow unauthenticated hackers to execute arbitrary commands by sending a single HTTP request. This vulnerability carries a CVSS 10.0 (v3) and 9.3 (v4), and is found in React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0. A large number of internet-exposed systems are potentially vulnerable because React Server Components are used within frameworks such as Next.js.

How attackers are exploiting React Server Components

According to the Google Threat Intelligence Group (GTIG), several China-linked espionage groups have been observed exploiting the React2Shell vulnerability. For instance, UNC6600 (Earth Lamia) deployed the MINOCAT tunneling tool through a bash script that established persistence via cron jobs, systemd services, and shell configuration changes. Moreover, UNC6586 utilized the SNOWLIGHT downloader, a Go-based VSHELL variant, to retrieve payloads disguised as legitimate files. Other China-backed threat actors involved in the exploitation attempts include UNC6588, UNC6603, and UNC6595.

On December 5, the cybercriminals exploited the React2Shell flaw to deploy the XMRig cryptocurrency miner. They deployed tools such as Cobalt Strike, shell reverse connections, persistence mechanisms, backdoors (like VShell, EtherRAT), memory loaders (SNOWLIGHT), and cryptominers in compromised environments. The attackers conducted lateral movement, credentials theft (Azure, AWS, GCP, OpenAI tokens), and secret harvesting through tools like TruffleHog and Gitleaks.

“Due to the use of React Server Components (RSC) in popular frameworks like Next.js, there are a significant number of exposed systems vulnerable to this issue. Exploitation potential is further increased by two factors: 1) there are a variety of valid payload formats and techniques, and 2) the mere presence of vulnerable packages on systems is often enough to permit exploitation,” the Google Threat Intelligence Group explained.

Mitigation steps and recommended security controls

Organizations should prioritize upgrading React Server Components to the latest patched versions (19.0.1, 19.1.2, or 19.2.1+, and 19.2.3) to address related vulnerabilities. Administrators should audit all application dependencies, especially frameworks like Next.js, which may include vulnerable React packages. They must also use automated dependency scanning tools and Software Bill of Materials (SBOM) checks to help ensure no outdated or compromised components remain in production environments.

It’s highly recommended to deploy Web Application Firewall (WAF) rules (such as Cloud Armor policies) to block exploit attempts during remediation. Moreover, IT admins should enable Defender for Endpoint and Defender for Cloud to detect suspicious behaviors, and conduct proactive threat hunting for indicators of compromise (IoCs). They should also implement YARA rules and leverage threat intelligence feeds to further strengthen detection and response capabilities.