644K+ Websites at Risk Due to Critical React Server Components Flaw

A critical vulnerability known as “React2Shell” has been identified by the Shadowserver Foundation, posing a significant threat to a massive attack surface that remains exposed to potential exploitation.

Following enhancements to their scanning infrastructure on December 8, 2025, researchers found that over 644,000 domains and 165,000 unique IP addresses are still running vulnerable instances of React Server Components, leaving them open to attack.

Understanding the React2Shell Threat

The vulnerability, tracked as CVE-2025-55182, is a critical security flaw affecting React Server Components (RSC), allowing unauthenticated remote attackers to execute arbitrary code on the target server.

Dubbed “React2Shell” due to its severity and nature, the flaw stems from insecure deserialization vulnerabilities in the “Flight” protocol used by React for server-client communication.

With the ability to be exploited without user interaction or authentication, the flaw has been assigned the highest possible risk ratings, making it a prime target for attackers.

Despite the initial disclosure of the vulnerability earlier this month, Shadowserver’s latest data reveals that a significant portion of the web remains unpatched, with over 644,000 vulnerable domains still at risk.

The Shadowserver Foundation collaborated with security partners ValidinLLC and leak_ix to refine their scanning techniques, resulting in a more accurate detection of affected systems.

The discovery of over 644,000 vulnerable domains indicates that many organizations have not yet applied the necessary security updates to their web applications and server environments, leaving them vulnerable to attack.

Security teams and administrators are urged to check their systems immediately for compromise and apply available patches to close this critical security gap.

The widespread nature of this vulnerability makes it an attractive target for automated exploitation campaigns, where attackers scan the internet for unpatched servers to install ransomware or steal data.

Organizations using React Server Components should verify their deployments against the latest vendor advisories and apply available patches instantly to protect themselves from this critical security threat.

Related Articles

Back to top button