Google Threat Intelligence Group (GTIG) has issued a high-severity warning about the active exploitation of a critical vulnerability in React Server Components, tracked as React2Shell (CVE-2025-55182).
The flaw allows unauthenticated remote code execution, enabling attackers to take full control of vulnerable servers without a password.
Since its public disclosure on December 3, 2025, Google has observed multiple threat actors actively exploiting the vulnerability, ranging from state-sponsored espionage groups to financially motivated cybercriminals.
With a CVSS v3 score of 10.0, React2Shell represents a maximum-severity risk, especially due to the widespread use of React and Next.js across modern web applications.
What Is React2Shell (CVE-2025-55182)?
React2Shell is a critical security flaw affecting specific versions of React and Next.js that use React Server Components (RSC).
The vulnerability allows attackers to:
- Execute arbitrary code remotely
- Bypass authentication mechanisms
- Deploy malware or web shells entirely in memory
- Maintain persistent, stealthy access to compromised servers
Because React and Next.js power millions of production websites, the potential attack surface is massive.
Google Confirms Widespread Active Exploitation
Google GTIG reports that functional exploit code is now publicly available, significantly lowering the barrier for attackers.
While early proof-of-concept exploits were unreliable or fake, fully working exploit chains are now circulating, including tools capable of memory-only web shell deployment.
This has led to rapid adoption by multiple attacker groups, accelerating real-world attacks.
Threat Actors and Malware Campaigns Observed
1. China-Nexus Espionage Operations
Google identified multiple China-linked threat groups abusing React2Shell for cyber-espionage:
- UNC6600
- Deploys the MINOCAT tunneler
- Establishes stealthy, long-term access to compromised networks
- UNC6603
- Uses an updated HISONIC backdoor
- Evades detection by routing traffic through legitimate services like Cloudflare
These campaigns focus on persistent access, data exfiltration, and intelligence collection.
2. Financially Motivated Cybercrime
Opportunistic attackers are exploiting unpatched systems to generate illicit revenue:
- Deployment of XMRig cryptocurrency miners
- Abuse of victim server resources for Monero mining
- Use of lightweight downloader scripts to maintain access
This highlights how unpatched servers are quickly monetized after vulnerability disclosure.
3. Additional Malware Families
Google also identified several other malicious tools linked to React2Shell exploitation:
- SNOWLIGHT – Malware downloader and C2 framework
- COMPOOD – Backdoor for data theft and secondary payload delivery
- ANGRYREBEL.LINUX – Linux-based payload observed in exploitation chains
Indicators of Compromise (IoCs)
Malicious Domains
reactcdn.windowserrorapis[.]com– SNOWLIGHT C2 and staging server
IP Addresses
82.163.22[.]139– SNOWLIGHT C2 server216.158.232[.]43– Staging server forsex.shscript45.76.155[.]14– COMPOOD C2 and payload staging
Malware Hashes (SHA-256)
- HISONIC Samples
df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b54092064e210b23cf5b94585d3722bf53373d54fb4114dca25c34e010d0c010edf3
- ANGRYREBEL.LINUX
0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696
- XMRig Downloader (sex.sh)
13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274
- SNOWLIGHT
7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a
- MINOCAT
776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273
Why This Vulnerability Is Especially Dangerous
- No authentication required
- Public exploit code available
- Memory-only attacks evade disk-based detection
- React and Next.js are extremely common
- Attackers include nation-state groups
Google warns that unpatched systems are being compromised within hours of exposure.
Mitigation and Security Recommendations
Organizations using React Server Components or Next.js should take immediate action:
- Patch immediately
- Upgrade to secure versions of React and Next.js
- Audit exposed servers
- Look for unusual outbound connections and memory-resident processes
- Monitor IoCs
- Block listed domains, IPs, and hashes
- Restrict server privileges
- Apply least-privilege access controls
- Deploy runtime monitoring
- Detect in-memory web shells and abnormal execution patterns
Conclusion
React2Shell (CVE-2025-55182) is one of the most severe vulnerabilities affecting modern web frameworks in recent years. With active exploitation confirmed by Google, widespread public exploit availability, and involvement from advanced nation-state actors, the risk cannot be overstated.
Immediate patching and proactive threat monitoring are essential to prevent server compromise, data theft, and financial abuse.
