Following #React2Shell, two new vulnerabilities were found in React Server Components: one enabling Denial of Service, another allowing source code (and hard-coded secrets) to leak!
I've lost count of how many #React2Shell exploits our initial access intel group has reviewed, but it's a lot. Canary detections also going brr, unsurprisingly.
@yeslikethefood has a new blog out with:
• Common exploit variants and potential payload modifications
• The current PoC ecosystem
• VulnCheck canary detections (exploit attempts ongoing)
• Attack path observations
• Challenges for defenders, namely around detection
We've also released our in-memory webshell.
https://www.vulncheck.com/blog/reacting-to-shells-react2shell-variants-ecosystem
Another #React2Shell Update: Fastly saw a 2,775% increase in attack activity across our global network between the peak we reported yesterday (Dec. 4th) and 20:00 UTC today (Dec. 5th).
⚠️ This in-the-wild evidence suggests attackers are relentlessly probing for vulnerable applications at scale. ⚠️
It is worth your time to verify, not just trust, that you have zero exposure, and then drop everything to patch.
After the POC publicly dropped around 21:04 UTC yesterday (Dec. 4th), @fastlydevs detected what appeared, at the time, like a sharp escalation in attack activity.
In the 24 hours since then, the number of requests triggering our NGWAF signals for React2Shell exploded by 2,775% (as shown in the graph).
🌎 Fastly's Security Research team verified that select public PoCs grant attackers the single-step ability to execute commands, exfiltrate data, and gain write access on vulnerable servers.
This means cybercriminals and nation state actors alike face an alluring ROI, which is likely to motivate them to invest in weaponizing and operationalizing this at scale.
We are sharing this intelligence not to sow fear, but to reinforce the undeniable, urgent necessity of patching at this point. We also have a few updates for our customers:
🛡️ Fastly's teams expanded our Virtual Patch for CVE-2025-55182 to detect scan/probe activity and attempts to circumvent our NGWAF protections.
🛠️ We discovered the built-in "Attack Tooling" signal in our NGWAF already detects scanners that emerged in the past 24h to probe for vulnerable apps; we suggest customers investigate any requests that triggered this signal, as it may indicate React2Shell activity.
🤖 Fortuitously, Fastly's Bot Management product flagged some react2shell attack tooling as a "Suspected Bad Bot," offering organizations another layer of defense here.
At this time, Fastly's goal is to provide our customers with breathing room to patch.
The best available fix at this time is to update your apps to the applicable patched versions. We are at the point where it is no longer "if," or possibly even "when," but "how often"?
We will continue monitoring global attack activity, investing in additional mitigations for our customers, and sharing intel with the public community.
A critical zero-day in widely-used web frameworks sent shockwaves through the development community this week, with state-sponsored actors moving faster than most security teams could respond.
#react #nextjs #cloudflare #react2shell #cybersecurity
https://cybernewsweekly.substack.com/p/cybersecurity-news-review-week-49-fc4
Yesterday, after various bogus AI slopped "PoC"s, eventually a functional PoC for the React RCE emerged:
https://github.com/msanft/CVE-2025-55182
We now have a PoC from the reporter of the vulnerability as well:
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
full stack development: using front end javascript *and* back end javascript
@davidgerard Bonus stack integration feature, object deserialization! #react2shell
⚠️ update on #React2Shell:
After the POC dropped ~21:04 GMT today, Fastly detected a profound proliferation in the number of requests triggering our NGWAF signal for React2Shell (see the graph).
We strongly recommend you immediately prioritize identifying and updating your React & Next.js apps.
At this time, anyone who has neither patched nor applied proactive protection should assume their vulnerable systems are potentially compromised in ways they cannot predict.
https://hachyderm.io/@shortridge/115663892585649723
React2Shell and related RSC vulnerabilities threat brief
https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/
#HackerNews #React2Shell #RSC #vulnerabilities #threat #brief #Cloudflare #security #React #vulnerabilities #web #security
Following #React2Shell, two new vulnerabilities were found in React Server Components: one enabling Denial of Service, another allowing source code (and hard-coded secrets) to leak!
I've lost count of how many #React2Shell exploits our initial access intel group has reviewed, but it's a lot. Canary detections also going brr, unsurprisingly.
@yeslikethefood has a new blog out with:
• Common exploit variants and potential payload modifications
• The current PoC ecosystem
• VulnCheck canary detections (exploit attempts ongoing)
• Attack path observations
• Challenges for defenders, namely around detection
We've also released our in-memory webshell.
https://www.vulncheck.com/blog/reacting-to-shells-react2shell-variants-ecosystem
subsequent update https://hachyderm.io/@shortridge/115664561783943907
⚠️ update on #React2Shell:
After the POC dropped ~21:04 GMT today, Fastly detected a profound proliferation in the number of requests triggering our NGWAF signal for React2Shell (see the graph).
We strongly recommend you immediately prioritize identifying and updating your React & Next.js apps.
At this time, anyone who has neither patched nor applied proactive protection should assume their vulnerable systems are potentially compromised in ways they cannot predict.
https://hachyderm.io/@shortridge/115663892585649723
our subsequent update on #React2Shell activity: https://hachyderm.io/@shortridge/115669759056248491
Another #React2Shell Update: Fastly saw a 2,775% increase in attack activity across our global network between the peak we reported yesterday (Dec. 4th) and 20:00 UTC today (Dec. 5th).
⚠️ This in-the-wild evidence suggests attackers are relentlessly probing for vulnerable applications at scale. ⚠️
It is worth your time to verify, not just trust, that you have zero exposure, and then drop everything to patch.
After the POC publicly dropped around 21:04 UTC yesterday (Dec. 4th), @fastlydevs detected what appeared, at the time, like a sharp escalation in attack activity.
In the 24 hours since then, the number of requests triggering our NGWAF signals for React2Shell exploded by 2,775% (as shown in the graph).
🌎 Fastly's Security Research team verified that select public PoCs grant attackers the single-step ability to execute commands, exfiltrate data, and gain write access on vulnerable servers.
This means cybercriminals and nation state actors alike face an alluring ROI, which is likely to motivate them to invest in weaponizing and operationalizing this at scale.
We are sharing this intelligence not to sow fear, but to reinforce the undeniable, urgent necessity of patching at this point. We also have a few updates for our customers:
🛡️ Fastly's teams expanded our Virtual Patch for CVE-2025-55182 to detect scan/probe activity and attempts to circumvent our NGWAF protections.
🛠️ We discovered the built-in "Attack Tooling" signal in our NGWAF already detects scanners that emerged in the past 24h to probe for vulnerable apps; we suggest customers investigate any requests that triggered this signal, as it may indicate React2Shell activity.
🤖 Fortuitously, Fastly's Bot Management product flagged some react2shell attack tooling as a "Suspected Bad Bot," offering organizations another layer of defense here.
At this time, Fastly's goal is to provide our customers with breathing room to patch.
The best available fix at this time is to update your apps to the applicable patched versions. We are at the point where it is no longer "if," or possibly even "when," but "how often"?
We will continue monitoring global attack activity, investing in additional mitigations for our customers, and sharing intel with the public community.
A critical zero-day in widely-used web frameworks sent shockwaves through the development community this week, with state-sponsored actors moving faster than most security teams could respond.
#react #nextjs #cloudflare #react2shell #cybersecurity
https://cybernewsweekly.substack.com/p/cybersecurity-news-review-week-49-fc4
Yesterday, after various bogus AI slopped "PoC"s, eventually a functional PoC for the React RCE emerged:
https://github.com/msanft/CVE-2025-55182
We now have a PoC from the reporter of the vulnerability as well:
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
