The CrowdSec Network has detected a massive wave of exploitation attempts targeting CVE-2025-55182, dubbed “React2Shell”.
Key findings on CVE-2025-55182
- Explosive Growth: In just 4 days (December 5 – December 8), we observed 15,725 signals.
- Rapid Escalation: Activity peaked at 8,925 signals in a single day, with up to 381 distinct IPs attacking.
- Critical Impact: This vulnerability turns a common frontend component into a remote shell for attackers.
What is React2Shell?
React2Shell (CVE-2025-55182) is a critical Remote Code Execution (RCE) vulnerability affecting React, one of the most popular open-source JavaScript frameworks developed by Meta. It is widely used by e-commerce platforms, media sites, and enterprise dashboards to enhance SEO and performance. According to the Shadowserver Internet watchdog group, there would be more than 77,000 machines vulnerable, among which ~30% are located in the US.
Why it matters: It allows an unauthenticated attacker to execute arbitrary commands on the server hosting the application. It can lead to granting them access to any data or services the application has access to. The attacker can use this access as an initial foothold in an internal network, which can serve to other lateral movements, locking your company system with ransomware, or silently mine cryptocurrencies.
About the exploit React2Shell (CVE-2025-55182)
The vulnerability lies in how React handles server function calls. By providing a specially crafted HTTP request, it is possible to confuse the server-side parser and trick it into evaluating arbitrary code.
Researchers have noted that the exploit is trivial to automate, which has led to the massive spike in scanning and exploitation attempts that we are currently seeing.
Timeline and Trend Analysis
- 3 December 2025: the CVE was published on NIST
- 4 December 2025 11:00:00Z: CrowdSec Security Team added a virtual patching rule to CrowdSec WAF
- 4 December 2025 22:00:00Z: the first PoC was made publicly available by security researcher Maple3142
- 5 December 2025 01:00:00: CrowdSec Network spotted the first attacks and started to block intruders automatically.
The CrowdSec network picked up the first signals on December 5th, just hours after the first PoC was made available. Since then, the attack volume has skyrocketed over the weekend, averaging nearly 4,000 signals per day. The sharp increase suggests that proof-of-concept code is widely available and botnets are actively weaponizing it.
According to Crowdsec CTI, 28% of the IPs were already flagged as malicious and 22% as suspicious. This means that they were not “clean” and were already used in other malevolent activities.
Looking deeper at the time the IPs were first seen, we can tell that 60% of them are older than 23 days and already known to CrowdSec CTI.
How to protect your systems
- Patch: Upgrade to the patched version following recommendations from Vercel
- Preemptive blocking: Install CrowdSec WAF to automatically protect against CVE-2025-55182, in addition to hundreds of other vulnerabilities.
- Stay Proactive: Subscribe to CrowdSec’s specialized blocklist to gain instant protection for IPs targeting the most harmful vulnerabilities