React2Shell Was a Christmas Story. Seven Months Later Our Harvester Has Logged Two Dozen Exploit Repos for It — and One Landed Last Night. The Name Still Pulls.
- Patrick Duggan
- 1 hour ago
- 4 min read
Every major vendor wrote React2Shell up in December. Microsoft, Google, Wiz, Cloudflare, Rapid7, Zscaler, JFrog, Qualys, Sysdig — a wall of coverage the week it dropped, and then the news cycle did what it always does and moved on. Our exploit harvester did not move on, because it does not read the news; it watches GitHub. And what it has quietly recorded since is the part the disclosure-week coverage cannot show you: a 10.0 remote-code-execution bug does not get weaponized once. It gets weaponized on a cadence, by a rotating cast, for months, and it is still happening. Last night a fresh scanner for it landed in our feed. Seven months after the patch.
What React2Shell actually is, because it is worse than "a React bug"
CVE-2025-55182 is a pre-authentication remote code execution flaw, CVSS 10.0, in the React Server Components "Flight" protocol — a logical deserialization bug where the server takes an RSC payload from a single crafted POST request, deserializes it unsafely, and runs attacker-controlled code under the Node runtime. No login, no user interaction, one request. The detail that makes it a generational problem rather than a niche one: a standard Next.js application created with create-next-app and built for production is vulnerable with no code changes by the developer. The default is exploitable. That is an enormous installed base — a large fraction of the modern JavaScript web is a default Next.js build — and it is why "React2Shell" became a name people remember. The early payloads were mostly coin miners, which undersells it; a pre-auth RCE that runs Node on the box is a foothold, and a miner is just the laziest thing to do with a foothold.
What our harvester saw that the December writeups could not
Our exploit harvester sweeps GitHub for public exploit and scanner code against tracked CVEs and records each one with a timestamp. For CVE-2025-55182, the ledger is not a handful of proofs-of-concept. It is roughly two dozen distinct repositories across two months, and the shape of it tells the story better than the count.
On May 20, 2026, ten separate accounts published React2Shell tooling on the same day — scanners, exploits, "shellinteractive" variants, a "Blackash" build. That is not ten researchers independently having the same idea; that is a weaponization burst, the moment a bug crosses from "disclosed" to "commodity" and the tooling factories all ship at once. Then it kept going, one or two a week, for months: renewablehacking, Jenderal92's explicitly-named React2shell repo, K3ysTr0K3R's EXPLOIT, a JEFAZO checker, SentinelX, litndat's PoC, Herick-Costa's RCE build, diamorphine666's exploit in July — and last night, Saturate's scanner, which is the entry that showed up in our morning hunt digest and started this. Two dozen accounts, one 10.0, seven months, and the line is still being drawn.
The name is the lure, in both directions
Here is the part worth sitting with, and it is the honest one: not all two dozen of these are attackers. React2Shell is a marquee name, and a marquee name pulls red-teamers and researchers as much as it pulls operators — a scanner for a famous 10.0 is exactly the thing a legitimate pentester builds to check their client's Next.js fleet. We are not going to flatten a security researcher's checker and a criminal's mass-exploiter into the same bucket on the repo name alone, and our detectors are built specifically not to. But the volume itself is the signal regardless of the split: a bug that is still generating two dozen public tools seven months after its patch is a bug whose exploitation surface has not shrunk, because the vulnerable installed base has not shrunk. Every default Next.js app that has not been rebuilt on 19.0.1, 19.1.2, or 19.2.1 is still standing in front of every one of these tools.
The name pulls one more way we have already documented: React2Shell was one of the bait CVEs in the ChocoPoC campaign we wrote up yesterday — the operation that trojanized fake proof-of-concept repos to hit the researchers who go looking for exactly this kind of tooling. So React2Shell is simultaneously a real weaponization magnet and a lure used to poison the people chasing it. A famous name is an attractive surface from every angle.
What to do
If you run Next.js or anything on React Server Components, this is not a "we'll get to it" item, patched-in-December or not — the exploit tooling for it is fresher than your last deploy probably is. Confirm your React packages are on 19.0.1, 19.1.2, or 19.2.1 or later, and understand that "we don't use RSC directly" is not a defense, because a default production Next.js build enables the vulnerable path for you. Check your egress for the coin-miner and second-stage traffic that this bug's payloads favor, because a foothold established months ago does not announce itself. And if you build or run PoCs against it, assume some of the two dozen repos with its name on them are ChocoPoC-class traps and detonate them in something disposable.
We hold this at 95 percent. We did not find React2Shell — it is one of the most-covered CVEs of the last year and we credit the vendors who dissected it. What we have that a disclosure-week blog does not is the longitudinal view: the timestamped record that this specific name has been drawing exploit tooling continuously for seven months, in a burst and then a steady drip, and that the drip has not stopped. The news covers a vulnerability the week it breaks. The harvester covers the years afterward when it is quietly, relentlessly still being weaponized — which is the whole window an unpatched box actually lives in.
Sources: CVE-2025-55182 / React2Shell vendor advisories (Microsoft, Google Cloud, Wiz, Cloudflare, Rapid7, Zscaler, JFrog, Qualys, Sysdig, Unit 42); DugganUSA exploit-harvester ledger (May–July 2026) and prior ChocoPoC coverage (2026-07-13), queried directly.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.




Comments