{"id":8991,"date":"2025-12-06T10:03:47","date_gmt":"2025-12-06T10:03:47","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/06\/2-15m-web-services-running-next-js-exposed-over-internet-active-exploitation-underway-patch-now\/"},"modified":"2025-12-06T10:03:47","modified_gmt":"2025-12-06T10:03:47","slug":"2-15m-web-services-running-next-js-exposed-over-internet-active-exploitation-underway-patch-now","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/06\/2-15m-web-services-running-next-js-exposed-over-internet-active-exploitation-underway-patch-now\/","title":{"rendered":"2.15M Web Services Running Next.js Exposed Over Internet, Active Exploitation Underway \u2013 Patch Now"},"content":{"rendered":"<p>    2.15M Web Services Running Next.js Exposed Over Internet, Active Exploitation Underway \u2013 Patch Now<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical unauthenticated remote code execution vulnerability dubbed \u201c<a href=\"https:\/\/cybersecuritynews.com\/china-nexus-hackers-exploiting-react2shell-flaw\/\" target=\"_blank\" rel=\"noreferrer noopener\">React2Shell<\/a>\u201d is actively being exploited in the wild, putting millions of web services at risk.<\/p>\n<p>On December 3, React disclosed <a href=\"https:\/\/cybersecuritynews.com\/react-and-next-js-rce-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-55182<\/a>, a critical flaw in React Server Components with a CVSS score of 10.<\/p>\n<p>The vulnerability stems from insecure deserialization within the \u201cFlight\u201d protocol used by React Server Components.<\/p>\n<p>Attackers can execute arbitrary code on vulnerable servers by sending specially crafted HTTP requests to Server Function endpoints without requiring authentication. This allows threat actors to gain complete control of affected systems.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-active-exploitation-by-state-sponsored-groups\"><strong>Active Exploitation by State-Sponsored Groups<\/strong><\/h2>\n<p>Amazon Web Services researchers reported that <a href=\"https:\/\/cybersecuritynews.com\/china-nexus-hackers-exploiting-react2shell-flaw\/\" target=\"_blank\" rel=\"noreferrer noopener\">China-nexus threat actors<\/a>, including Earth Lamia and Jackpot Panda, began exploiting this vulnerability within 24 hours of its public disclosure.<\/p>\n<p>The attackers are targeting vulnerable cloud-hosted applications using React Server Components. Often, they deploy web shells and backdoors shortly after gaining initial access.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\"><strong>Field<\/strong><\/th>\n<th class=\"has-text-align-left\" data-align=\"left\"><strong>Details<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>CVE-ID<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2025-55182<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>CVSS Score<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">10.0 (Critical)<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>Vulnerability Type<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Unauthenticated Remote Code Execution<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\"><strong>Affected Versions<\/strong><\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">React 19.0.0, 19.1.0, 19.1.1, 19.2.0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>As of December 5, CISA added <a href=\"https:\/\/cybersecuritynews.com\/poc-exploit-react-next-js\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-55182<\/a> to its Known Exploited Vulnerabilities Catalog, underscoring the severity and active exploitation of this flaw.<\/p>\n<p>GreyNoise has also documented opportunistic exploitation attempts against their honeypots, indicating widespread scanning and exploitation activity across the internet.<\/p>\n<p>According to <a href=\"https:\/\/censys.com\/advisory\/cve-2025-55182\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Censys<\/a>, approximately 2.15 million internet-facing web services may be affected by this vulnerability.<\/p>\n<p>These include exposed services running React Server Components and affected frameworks such as Next.js, Waku, React Router, and RedwoodSDK.<\/p>\n<p>While this count reflects software exposure rather than confirmed vulnerable versions, the scale of potential impact is significant given the popularity of these frameworks.<\/p>\n<p>The vulnerability affects React Server Components packages, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, in versions 19.0.0 through 19.2.0.<\/p>\n<p>Multiple popular frameworks depend on these packages, including Next.js versions 14.3.0-canary.77 and above when using App Router, React Router RSC preview, Waku, Vite RSC Plugin, Parcel RSC Plugin, and RedwoodSDK.<\/p>\n<p>Pure client-side React applications that do not run server-side components are not affected.<\/p>\n<p>However, applications implementing <a href=\"https:\/\/cybersecuritynews.com\/react-and-next-js-rce-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">React Server<\/a> Components remain vulnerable even if they do not explicitly use Server Function endpoints.<\/p>\n<p>Fixed versions are now available. Organizations should immediately update to React 19.0.1, 19.1.2, or 19.2.1.<\/p>\n<p>Next.js users should upgrade to versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7 depending on their current version.<\/p>\n<p>While WAF providers, including Cloudflare and AWS, have deployed protective rule sets, some <a href=\"https:\/\/cybersecuritynews.com\/ivanti-endpoint-manager-vulnerabilities-proof-of-concept-poc-exploit-released\/\" target=\"_blank\" rel=\"noreferrer noopener\">proof-of-concept<\/a> exploits demonstrate bypass techniques. Patching remains the most reliable mitigation strategy.<\/p>\n<p>Given the active exploitation, maximum severity score, and widespread framework adoption, organizations running React Server Components should treat this as an emergency patch priority.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/2-15m-web-services-running-next-js-exposed\/\">2.15M Web Services Running Next.js Exposed Over Internet, Active Exploitation Underway \u2013 Patch Now<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/2-15m-web-services-running-next-js-exposed\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>2.15M Web Services Running Next.js Exposed Over Internet, Active Exploitation Underway \u2013 Patch Now A critical unauthenticated remote code execution vulnerability dubbed \u201cReact2Shell\u201d is actively being exploited in the wild, putting millions of web services at risk. On December 3, React disclosed CVE-2025-55182, a critical flaw in React Server Components with a CVSS score of [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-8991","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8991"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8991"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8991\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8991"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}