The Shadowserver Foundation has issued an urgent update regarding the critical “React2Shell” vulnerability, identifying a massive attack surface that remains exposed to potential exploitation.
Following targeted improvements to their scanning infrastructure on December 8, 2025, researchers discovered that over 644,000 domains and 165,000 unique IP addresses are still running vulnerable instances of React Server Components.
Understanding the React2Shell Threat
The vulnerability, tracked as CVE-2025-55182, is a critical security flaw affecting React Server Components (RSC).
Security experts have dubbed the flaw “React2Shell” due to its severity and nature. It allows unauthenticated remote attackers to execute arbitrary code on the target server.
The issue stems from insecure deserialization vulnerabilities in the “Flight” protocol that React uses to manage server-client communication.
Because the flaw can be exploited without any user interaction or authentication, it has been assigned the highest possible risk ratings.
Shadowserver’s latest data reveals that despite the initial disclosure of the vulnerability earlier this month, a significant portion of the web remains unpatched.
The foundation collaborated with security partners ValidinLLC and leak_ix to refine their scanning techniques, resulting in a more accurate detection of affected systems.
The discovery of over 644,000 vulnerable domains indicates that many organizations have not yet applied the necessary security updates to their web applications and server environments.
Security teams and administrators are urged to check their systems immediately for compromise.
The widespread nature of this vulnerability makes it a prime target for automated exploitation campaigns, where attackers scan the internet for unpatched servers to install ransomware or steal data.
Organizations using React Server Components should verify their deployments against the latest vendor advisories and apply available patches instantly to close this critical security gap.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.