2.15M Next.js sites are exposed and being attacked — update ASAP.

Home/Cyber threat, cyberattack, Cybersecurity, Internet Security, malicious cyber actors, React / Web Development, Secuirty Update, Security Advisory, Security Update/2.15M Next.js sites are exposed and being attacked — update ASAP.

2.15M Next.js sites are exposed and being attacked — update ASAP.

Security teams around the world are rushing to fix systems after a major React vulnerability was revealed: CVE-2025-55182, also called “React2Shell.”

This flaw affects React Server Components (RSC) and has a maximum CVSS score of 10, meaning it’s extremely serious and easy for attackers to exploit.

According to Censys, over 2.15 million internet-facing services may be affected. This includes apps built with Next.js, Waku, React Router RSC, Vite RSC, Parcel RSC, and RedwoodSDK.

React2Shell (CVE-2025-55182)

This is a serious problem in React Server Components (RSC).

Some React server packages — react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack — do not safely handle JSON data.

Because of this, an attacker can send a special request and run any JavaScript code on the server without logging in.

In short: Hackers can take full control of the server from outside.

Even apps that don’t directly use Server Functions can be at risk if they use RSC on the server.
Pure client-side React apps are safe.

This issue is already being exploited:

  • AWS reported China-linked groups using this flaw within a day.
  • Groups like Earth Lamia and Jackpot Panda are hacking servers and installing malicious tools.

CISA has added this vulnerability to its Known Exploited list, meaning it’s actively being used and should be patched immediately.

Affected React Server Package Versions

These versions are vulnerable: 19.0.0, 19.1.0, 19.1.1, 19.2.0

Packages affected:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Impacted Frameworks and Tools:

  • Next.js (App Router)
  • React Router RSC preview
  • Waku
  • Vite RSC plugin
  • Parcel RSC plugin
  • RedwoodSDK

Next.js versions 14.3.0-canary.77 and later, all 15.x, and all 16.x using the App Router should be treated as vulnerable until patched.

Patch and Mitigation

Fixes are already available:

  • React patched versions: 19.0.1, 19.1.2, 19.2.1
  • Next.js patched versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Cloud providers like Cloudflare and AWS have added WAF rules to block known attacks.
⚠️ But WAFs can be bypassed, so patching is the only reliable fix.

What organizations should do:

  1. Check all public-facing systems using React Server Components (RSC), Next.js, or other affected frameworks.
  2. Confirm which versions are running and prioritize internet-exposed systems.
  3. Upgrade immediately to the latest patched versions and verify the updates are active.
  4. Treat any unpatched RSC-enabled service as high risk until updated and checked for compromise.
Post Views: 134
By | 2025-12-09T00:21:25+05:30 December 8th, 2025|Cyber threat, cyberattack, Cybersecurity, Internet Security, malicious cyber actors, React / Web Development, Secuirty Update, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!