CFC is alerting clients and brokers about a newly disclosed vulnerability in React, a widely used web framework. This flaw is being actively being exploited by hackers, so we strongly encourage businesses to review their systems and patch promptly.
What’s happened
On 3 December 2025, a new vulnerability, named as CVE-2025-55182 was publicly disclosed in React server components – a technology used by millions of websites worldwide. React, originally developed by Meta and now open source, is a core framework for building dynamic, interactive websites. These vulnerabilities allow attackers to send specially crafted requests to a React server, potentially tricking it into executing malicious commands.
It has been ranked 10.0, the most critical CVSS severity rating because React is so widely used and the impact is broad. E-commerce platforms, healthcare portals, and other businesses relying on React for their web presence may be exposed. Instructional code on how to exploit the vulnerability, along with scanning tools to find those using React, are already publicly available to hackers. This makes it easy to find and compromise vulnerable servers.
Why this matters
If exploited, these vulnerabilities can give attackers full control over the affected server, including access to sensitive data, payment information or user credentials. For businesses hosting their websites on internal infrastructure, the risk is even greater: an attacker could move laterally across the network, disable security tools or install persistent backdoors. Even cloud-hosted sites are at risk of data theft, defacement or disruption.
If your systems have already been compromised, patching alone may not fully resolve the risk. Attackers who gained access before the patch was applied can leave behind beacons, web shells or other forms of persistent malware that remain dormant in your environment. These hidden threats can be activated weeks, months or even years later, allowing hackers to regain access, steal data or launch further attacks long after the initial vulnerability has been fixed. To help mitigate this risk, businesses should not only patch promptly but also advise their IT professionals to check for signs of compromise and consider running security tools like endpoint detection and response (EDR) to ensure no malicious code has been left behind.
The vulnerabilities have been nicknamed “React2Shell” by the security community, echoing previous high-profile incidents like “Log4Shell”, whereby from the moment these flaws were disclosed, exploitation began almost immediately, and continued into the years that followed.
What should businesses do?
Immediate actions:
- Check for signs of compromise. Attackers may have already installed backdoors or created new user accounts. Run endpoint detection and response (EDR) tools and review logs for suspicious activity.
- If malicious activity is found, restart the NodeJS process to remove any implants from memory then continue with EDR and incident response steps to contain and recover.
- Regardless of compromise, apply the official React security patch. The fix is available and does not require a server reboot. Patching should take only a few minutes.
- If you notice anything unusual, contact your IT team or CFC’s cyber response team for support.
For brokers:
Encourage your clients to act quickly. Delays in patching increase the risk of compromise and potential claims. Businesses should also be aware that even after patching, additional checks may be needed to ensure no malicious activity persists.
CFC monitoring & support
CFC’s proactive cyber team is monitoring the situation and has been active in sending out notifications to those at risk and those already compromised. Our priority is to help businesses prevent incidents before they occur. If you have questions or need support, please contact our cyber response team via the Response app, our website or at customersupport@cfc.com.
