Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

React/Next.js RSC Flight insecure deserialization RCE (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 66
2 unique sources, 3 articles

Summary

Hide ▲

React2Shell in the React Server Components (RSC) Flight protocol is being exploited in the wild to achieve unauthenticated remote code execution in React and Next.js applications. The flaw is tracked as CVE-2025-55182 and CVE-2025-66478, and fixed releases are available for affected React and Next.js builds. Recent reporting shows ransomware, nation-state activity, and other criminal abuse emerging quickly after disclosure, including a Weaxor ransomware incident on December 5 that moved from initial access to encryption in less than a minute.

Related Happenings

RoshniNaveenaS's account hit by network compromise

Incident
First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: The **RoshniNaveenaS** account was **compromised**, enabling attackers to publish malicious **@cap-js** releases without provenance and putting downstream **npm** consumers at ris...

Open Happening

WAVESHAPER.V2 trojanized Axios npm packages

Malware Activity
First: 03.04.2026 14:04 Last: 03.04.2026 14:04 Sources 1

About this happening: The **WAVESHAPER.V2** implant was embedded in **trojanized Axios npm package releases**, creating downstream supply-chain risk for **npm users**. The malicious code was published...

Open Happening

UNC1069 Axios npm supply-chain campaign targeting build pipelines

Campaign
First: 01.04.2026 10:44 Last: 01.04.2026 10:44 Sources 1

About this happening: The **Axios npm supply-chain compromise** has been tied to **UNC1069**, putting **npm consumers** and downstream **build pipelines** at risk from trojanized releases. Attackers se...

Latest development: 13.04.2026 20:39

OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package version 1.14.1 during a March 31, 2026 supply-chain attack. The workflow had access to certificates used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas, and OpenAI says it found no evidence that user data, systems, intellectual property, or the signing certificate were compromised.

Open Happening

Jason Saayman hit by network compromise

Incident
First: 31.03.2026 16:53 Last: 31.03.2026 16:53 Sources 1

About this happening: The **Axios** npm package was compromised after maintainer **Jason Saayman**'s **npm account** was taken over, and malicious versions were published to the registry. The release c...

Latest development: 01.04.2026 12:00

Google Threat Intelligence Group attributed the Axios npm supply-chain compromise to UNC1069, citing the use of WAVESHAPER.V2 and describing the actor as financially motivated and North Korea-nexus. GTIG also warned that malicious axios releases v1.14.1 and v0.30.4, delivered through Jason Saayman’s compromised account and plain-crypto-js, could have a broad blast radius across dependent packages and developer environments.

Open Happening

React2Shell (CVE-2025-55182) mass scanning and exploitation wave

Exploitation Wave
First: 20.02.2026 23:07 Last: 20.02.2026 23:07 Sources 1

How related: Palo Alto Networks reports that more than 30 organizations have already been compromised through the React2Shell flaw, with attackers exploiting the vulnerability to run commands, conduct reconnaissance, and attempt to steal AWS configuration and credential files.

About this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...

Open Happening

Timeline

  1. 09.12.2025 20:25 2 articles · 5mo ago

    North Korea-linked actors exploit React2Shell to deploy EtherRAT

    Exploitation Observed

    North Korea-linked threat actors are likely exploiting CVE-2025-55182 in affected React Server Components (RSC) deployments to execute a Base64-encoded shell command, download a shell script, fetch Node.js v20.10.0 from nodejs.org, and deploy the EtherRAT remote access trojan with Ethereum smart contract-based C2 resolution.

    Show sources
    Open in new tab
  2. 04.12.2025 17:11 1 articles · 5mo ago

    React and Next.js publish fixes for React2Shell

    Mitigation Patch Update

    React identifies affected versions 19.0, 19.1.0, 19.1.1, and 19.2.0, while Next.js is impacted in experimental canary releases starting with 14.3.0-canary.77 and in 15.x and 16.x releases below the patched builds; fixed releases are available in React 19.0.1, 19.1.2, and 19.2.1 and in Next.js 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7, and organizations are advised to audit deployments and patch vulnerable versions.

    Show sources
    Open in new tab
  3. 29.11.2025 02:00 1 articles · 5mo ago

    Lachlan Davidson reports React2Shell to React

    Initial Disclosure

    Security researcher Lachlan Davidson discovers a maximum-severity insecure deserialization flaw in the React Server Components (RSC) Flight protocol and reports it to React on November 29, 2025 after finding that a specially crafted HTTP request to React Server Function endpoints can trigger unauthenticated remote code execution in React and Next.js applications.

    Show sources
    Open in new tab