React2Shell Exploit: Critical RCE Flaw (CVSS 10.0) Under Active Attack with New Backdoors

Immediately following the public disclosure of a critical vulnerability in React Server Components, threat actors began exploiting it in attacks against organizations across multiple industries. The Huntress team reports that the flaw is an unauthenticated remote code execution (RCE) vulnerability, enabling attackers to run arbitrary code via a single, specially crafted HTTP request.

The vulnerability has been assigned CVE-2025-55182 and is informally known as “React2Shell.” It was disclosed on December 3, 2025, carries a maximum CVSS score of 10.0, and prompted React maintainers to urge immediate patching. Huntress observed active exploitation attempts as early as December 8 within the environments of several customers. In parallel, the Next.js ecosystem briefly referenced CVE-2025-66478, which was later dismissed as a duplicate of CVE-2025-55182.

According to Huntress, once initial access is gained, attackers deploy a variety of payloads. These include cryptocurrency miners, a Linux backdoor dubbed PeerBlight, and additional tools designed to establish persistence and facilitate lateral movement. PeerBlight is particularly notable for its use of BitTorrent DHT as a fallback command-and-control channel, significantly complicating domain-based blocking efforts.

Another element of the campaign is CowTunnel, a reverse proxy tunnel that initiates outbound connections to attacker-controlled FRP servers, effectively bypassing perimeter restrictions. In certain cases, researchers also encountered a post-exploitation implant written in Go, named ZinFoq, which provides reverse shell capabilities, SOCKS5 proxying, and file timestamp manipulation to obscure forensic traces. Additionally, a variant of the Kaiji botnet was distributed, combining DDoS functionality with persistence mechanisms and techniques that force system reboots when termination is attempted.

Logs from at least one incident revealed signs of automation, including identical command execution checks and attempts to deploy Linux payloads on Windows hosts. Prior to exploitation, Huntress reports the use of the publicly available react2shell-scanner from Assetnote to identify vulnerable Next.js instances.

To mitigate risk, Huntress strongly recommends promptly upgrading the affected packages—react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack—to their patched releases (19.0.1, 19.1.2, and 19.2.1, respectively). For Next.js deployments, a dedicated utility, fix-react2shell-next, is available to verify versions and assist administrators in restoring a secure configuration.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy