CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far

GreyNoise has identified active, opportunistic exploitation attempts targeting a critical remote code execution vulnerability within React Server Components, specifically the Flight protocol. Tracked as CVE-2025-55182 and colloquially known as React2Shell, this vulnerability allows attackers to execute arbitrary code on affected servers. Current observations indicate largely automated scanning and exploitation efforts rather than targeted campaigns by specific advanced persistent threat groups. The immediate impact involves potential unauthorized server access and compromise of web applications utilizing vulnerable RSC implementations. Organizations deploying React Server Components should prioritize patching and monitoring network traffic for anomalous Flight protocol requests. While no specific malware families or attributed threat actors have been confirmed in these initial waves, the automated nature suggests widespread scanning for vulnerable endpoints. Immediate mitigation involves updating React frameworks and implementing web application firewall rules to block exploitation attempts associated with this CVE.

GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as “React2Shell” and tracked as CVE-2025-55182.

GreyNoise has identified active, opportunistic exploitation attempts targeting a critical remote code execution vulnerability within React Server Components, specifically the Flight protocol. Tracked as CVE-2025-55182 and colloquially known as React2Shell, this vulnerability allows attackers to execute arbitrary code on affected servers. Current observations indicate largely automated scanning and exploitation efforts rather than targeted campaigns by specific advanced persistent threat groups. The immediate impact involves potential unauthorized server access and compromise of web applications utilizing vulnerable RSC implementations. Organizations deploying React Server Components should prioritize patching and monitoring network traffic for anomalous Flight protocol requests. While no specific malware families or attributed threat actors have been confirmed in these initial waves, the automated nature suggests widespread scanning for vulnerable endpoints. Immediate mitigation involves updating React frameworks and implementing web application firewall rules to block exploitation attempts associated with this CVE. GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as “React2Shell” and tracked as CVE-2025-55182. GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as “React2Shell” and tracked as CVE-2025-55182.