Josselin HANEL.
FR EN DE
Eco Mode
Eco Mode on — An alternative version of the site, optimised for slow connections and on-the-go browsing.
← Back to blog

React2Shell: 77,000 exposed servers, massive exploitation within hours

securite, react, eco-conception, performance

On December 3rd, Meta disclosed CVE-2025-55182: a critical 10/10 vulnerability in React Server Components. Exploited just hours later by Chinese hackers. The US cybersecurity agency added it to its emergency catalog on December 5th.

The technical problem

React Server Components allows server-side code execution via the "Flight" protocol. The server accepts requests without verifying their origin. An attacker sends a crafted request → the server accepts it → malicious code execution. No authentication required. Success rate close to 100%.

In practice: complete server takeover. Data theft, malware installation, database access.

39% of cloud environments have at least one vulnerable instance. React has become the default choice, driven by AI coding tools and tutorials. The result: a single vulnerability puts tens of thousands of sites at risk simultaneously.

What happened

  • December 3rd: Meta announces the vulnerability and releases a patch. Hours later, Chinese groups Earth Lamia and Jackpot Panda are already exploiting it.
  • December 5th: 77,664 vulnerable servers detected. More than 30 organizations compromised.
  • Observed attacks: crypto mining, AWS credential theft, backdoor installation.

The domino effect

Cloudflare activates emergency protections. This change causes 25 minutes of downtime: 28% of Cloudflare's HTTP traffic becomes inaccessible. Zoom, LinkedIn, Coinbase, Canva: all down. Complexity fighting complexity.

Simpler solutions exist

  • Pre-generate pages at build time
  • Only make dynamic what needs to be
  • Add interactivity where it's actually useful

The principle: less complexity = fewer vulnerabilities. A simple site doesn't expose 200,000 lines of code to the internet.

Less complexity = less attack surface. Eco-design isn't just about CO2 — it's also structural security.

React Server Components targets very complex applications (dashboards, internal business tools), but other solutions exist for that use case. And for the majority of sites with more straightforward needs, lightweight approaches do the job perfectly well.

Sources: React AdvisoryAWS Threat IntelWiz ResearchShadowserverCloudflare

Related articles

EmDash: Cloudflare validates my technical choices, but doesn't go far enough

Cloudflare just launched a CMS competing with WordPress, built on Astro — exactly the technology I use. It validates some choices. It doesn't fix everything.

BrowserGate: LinkedIn secretly scans your browser extensions

LinkedIn injects a 2.7MB script that detects 6,000 extensions installed in your browser and collects your hardware data. Without telling you.

Have a project in mind?

Feel free to contact me for a free quote with no obligation.

Let's talk

+33 7 81 33 97 68

josshanel@gmail.com