Active Exploitation of Critical Vulnerability in React Server Components (RSC)

Active Exploitation of Critical Vulnerability in React Server Components (RSC)

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Active Exploitation of Critical Vulnerability in React Server Components (RSC)

Information:

  React is a JavaScript library used for building websites and web applications. It helps divide the user interface into smaller reusable parts called components, making development and maintenance easier. React primarily operates on the client side and updates the user interface efficiently without requiring full page reloads. It can work together with other tools and frameworks, such as Next.js. Today, React is widely used in both small-scale and large-scale web applications.

Incident:

  Widespread attacks have been detected targeting applications developed with React 19 and Next.js, particularly systems that have React Server Components (RSC) enabled. This vulnerability has been classified with the highest severity level (Critical), with details as follows:

  The vulnerability CVE-2025-55182 (React2Shell) originates from a flaw in the React Flight protocol, which is responsible for handling the serialization and deserialization of objects between the server and client. The core issue lies in insufficient type validation performed by the server-side parser during the deserialization process. As a result, an attacker can send a crafted HTTP POST request containing a malicious object with embedded system commands. When the server processes this payload, it can immediately lead to remote code execution (RCE) without requiring any authentication (pre-authentication).

  Based on threat intelligence monitoring, this vulnerability has been actively exploited in the wild by malicious actors across multiple attack scenarios, as detailed below.

  APT groups and cybercriminals have leveraged this vulnerability as an initial access vector to deploy EtherRAT malware, enabling remote system control and command execution. The attackers further expanded their access laterally across the internal network to reach critical systems and sensitive databases within the organization.

  Cloud system attacks have been observed involving attempts to read environment variables in order to steal cloud access keys (such as AWS, Azure, and GCP credentials), posing a high risk of large-scale compromise and takeover of the organization’s cloud infrastructure.

  Cryptocurrency mining malware deployment has been observed, where automated scripts scan for vulnerable servers and install XMRig (cryptominer), resulting in excessive consumption of server resources and degradation of overall system performance.

Recommendation:

  -  Verify and immediately update affected libraries to patched versions(React 19.0.3+,

      Next.js 15.0.7+).

  -  Configure a Web Application Firewall (WAF) with rules to detect and block abnormal HTTP      requests, particularly malformed payloads in the request body targeting the RSC protocol.         

  -  Monitor and investigate processes exhibiting abnormal resource consumption, such as           sustained high CPU usage.

  - Scan systems for Indicators of Compromise (IoCs) associated with EtherRAT and XMRig.

  - Remove any unauthorized files or suspicious scheduled tasks from affected systems.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)

References :

          - https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-     55182-react2shell-vulnerability-in-react-server-components/         

           -   https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-  components

 

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2025-55182

3/12/2025

6/12/2025

React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0

Execute code

10.0

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Update to the patched version if your project uses packages in the react-server-dom-* family (e.g., webpack, turbopack, or parcel), as follows:
19.0.0 -> 19.0.1 (or later)
19.1.0, 19.1.1 -> 19.1.2 (or later)
19.2.0 -> 19.2.1 (or later)

 

https://www.cvedetails.com/cve/CVE-2025-55182/

 
2

CVE-2025-34319

3/12/2025

4/12/2025

TOTOLINK N300RT wireless router

OS command injection

9.3

TOTOLINK N300RT wireless router firmware versions prior to V3.4.0-B20250430 (discovered in V2.1.8-B20201030.1539) contain an OS command injection vulnerability in the Boa formWsc handling functionality. An unauthenticated attacker can send specially crafted requests to trigger command execution via the targetAPSsid request parameter.

Since the manufacturer released the latest firmware in 2020, indicating that support for this device may have already been discontinued, users should consider replacing the device to ensure security.

https://www.cvedetails.com/cve/CVE-2025-34319/
3

CVE-2025-14174

12/12/2025

12/12/2025

Google Chrome on MacOS
prior to 143.0.7499.110

Out-of-Bounds

8.8

Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page

Upgrade to version 143.0.7499.110 or later

https://nvd.nist.gov/vuln/detail/CVE-2025-14174
 4

CVE-2025-13720

2/12/2025

4/12/2025

Google Chrome prior to 143.0.7499.41

Incorrect Type Conversion or Cast

8.8

Bad cast in Loader in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Upgrade to version 143.0.7499.41 or later

https://www.cvedetails.com/cve/CVE-2025-13720/
5

CVE-2025-64785

12/9/2025

12/12/2025

Adobe Acrobat Reader versions
20.005.30793,
20.005.30803,
24.001.30264,
24.001.30273,
25.001.20982 and earlier

Untrusted Search Path

8.4

Acrobat Reader are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user.

Upgrade to 20.005.30838
Upgrade to 24.001.30307 (for Windows)
Upgrade to 24.001.30308 (for Mac)
Upgrade to 25.001.20997

https://nvd.nist.gov/vuln/detail/CVE-2025-64785

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

CyberVolk’s ransomware debut stumbles on cryptography weakness​

13/12/2025​

ransomware-as-a-service (RaaS)​

SentinelOne researchers discovered CyberVolk ransomware from a pro-Russian hacktivist group that uses a ransomware-as-a-service (RaaS) model. This ransomware was found to have a flaw that allows it to be decrypted simply by tracing the key within the binary written in plaintext on the machine. This enables victims to decrypt the malware for free without having to pay the criminals.​The Pro Russia Hacktivist group, based in India, targets both government and private sectors opposed to Russia, focusing on devices using Linux/VMware ESXi and Windows operating systems.​
  • Install antivirus or EDR.​
  • Provide security awareness training to employees within the organization.​
  • There is a system for backing up data.​
  • Tabletop Exercise Ransomware Threat.​

Ref: https://www.bleepingcomputer.com/news/security/cybervolks-ransomware-debut-stumbles-on-cryptography-weakness/ ​

 

23 December 2025

Viewed 133 time

Engine by shopup.com