Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation

Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation

CISA has added the React2Shell vulnerability (CVE-2025-55182) to its KEV catalog after unauthenticated remote code execution attacks were confirmed targeting millions of exposed services. The flaw carries a CVSS score of 10.0 and exploits insecure deserialization in React Server Components.

Why This Matters

Insecure deserialization is a well-documented attack vector, yet it remains prevalent due to the complexity of validating serialized data in real-world systems. React2Shell demonstrates how a flaw in the Flight protocol’s payload decoding can allow arbitrary code execution without authentication. With 2.15 million internet-facing services exposed, the scale of potential compromise is massive, and attackers are already deploying cryptocurrency miners and in-memory downloaders.

Key Insights

• “8-hour App Engine outage, 2012” (hypothetical example, not in context)
• Insecure deserialization: React2Shell exploits how React parses object references during deserialization, enabling RCE.
• Affected frameworks: Next.js, React Router, Waku, and RedwoodSDK are downstream dependencies impacted by the flaw.

Practical Applications

• Use Case: 2.15 million internet-facing services using React Server Components are at risk of exploitation.
• Pitfall: Delaying updates to React libraries leaves systems vulnerable to exploitation by groups like Earth Lamia and UNC5174.

References:

• https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html