A critical vulnerability in React Server Components, dubbed React2Shell and tracked as CVE-2025-55182, has triggered a massive wave of exploitation across the internet, with threat actors deploying cryptocurrency miners and sophisticated malware payloads targeting hundreds of thousands of vulnerable servers. As of December 8, 2025, the scale of the exploitation has reached alarming levels, with security researchers confirming attacks across multiple sectors.
The Threat Landscape
The React2Shell vulnerability, disclosed on December 3, 2025, after Meta patched the flaw, enables unauthenticated remote code execution through specially crafted HTTP requests. The vulnerability affects React version 19 systems that leverage React Server Components, including popular frameworks such as Next.js, Waku, React Router, and RedwoodSDK. With React powering millions of websites and its core NPM package recording 60 million weekly downloads, the potential attack surface is enormous.
Security monitoring organizations reported staggering numbers. The Shadowserver Foundation identified over 77,000 IPs hosting vulnerable React instances, while Censys observed more than 250,000 instances of potentially vulnerable React, Waku, React Router, Next.js, and RedwoodSDK deployments. Cloud security firm Wiz reported that 39 percent of the cloud environments it monitors include vulnerable React or Next.js versions.
Core Principles
The exploitation follows a clear pattern that organizations need to understand to defend against it. Attackers first identify vulnerable Next.js instances using publicly available GitHub tools, then exploit CVE-2025-55182 to achieve remote code execution. Once inside, they deploy a range of payloads including the XMRig cryptocurrency miner, which directly generates Monero for the attackers by hijacking the victim’s computing resources.
The first recorded exploitation attempt on a Windows endpoint dates back to December 4, 2025, just one day after the vulnerability was disclosed. Threat actors include at least two known China-linked groups, Earth Lamia and Jackpot Panda, who began exploiting the flaw immediately. Palo Alto Networks confirmed more than 30 affected organizations across various sectors as of December 8, with construction and entertainment industries being prominently targeted.
Tooling and Setup
The malware ecosystem deployed through React2Shell is diverse and sophisticated. Huntress researchers documented several previously unknown malware families including PeerBlight, a Linux backdoor that shares code with the RotaJakiro and Pink malware families from 2021. PeerBlight establishes communications with a hardcoded command-and-control server and uses a BitTorrent Distributed Hash Table network as a fallback mechanism, registering infected nodes with a distinctive identifier prefix.
Additional payloads include CowTunnel, a reverse proxy that bypasses firewalls by initiating outbound connections to attacker-controlled servers, and ZinFoq, a Linux ELF binary providing a full post-exploitation framework with interactive shell, file operations, network pivoting, and timestomping capabilities. Some attacks also deployed variants of the Kaiji DDoS malware incorporating remote administration and persistence features.
Ongoing Vigilance
For organizations running React-based applications, the immediate priority is identifying and patching vulnerable instances. The vulnerability only affects React version 19 with RSC enabled, which was released within the past year. Organizations should audit their technology stack for Next.js, Waku, React Router, and RedwoodSDK deployments, apply the patches released by Meta, and monitor for indicators of compromise associated with the known malware payloads.
The React2Shell incident demonstrates how quickly a critical vulnerability in a widely-used library can be weaponized at scale. The speed of exploitation, with confirmed attacks beginning within 24 hours of disclosure, underscores the need for organizations to maintain real-time vulnerability management processes and incident response capabilities.
Final Takeaway
The convergence of cryptocurrency mining malware with a critical web framework vulnerability represents a growing trend in the threat landscape. Attackers are not just seeking data or access; they are directly monetizing compromised infrastructure through crypto mining operations. With the crypto market showing significant valuations in December 2025, with BTC at $90,640 and ETH at $3,125, the financial incentives for such campaigns remain extremely strong. Organizations must treat web framework vulnerabilities with the same urgency as any other critical security flaw, as the economic motivations driving these attacks show no signs of diminishing.
Disclaimer: This article is for informational purposes only and does not constitute security advice. Consult with a qualified cybersecurity professional for specific guidance on protecting your infrastructure.
ASIC efficiency improvements are making older rigs obsolete fast
39% of cloud environments running vulnerable react versions according to wiz. the patch gap is measured in days but the exploitation in hours
Yuki T. the patch gap is the real problem. meta disclosed the flaw on dec 3 but exploitation started before that. supply chain vulnerability discovery is adversarial now
Immersion cooling is the future of efficient mining operations
xmrig deployed on 250k servers through a react RCE. crypto mining malware is the monetization layer for every major vulnerability now
xmrig_var_ 250K servers with xmrig through a single RCE. crypto mining malware is the default monetization for every critical CVE now
Hashrate hitting new ATHs despite price consolidation is very bullish