Internet-Scale Measurement of React2Shell Exploitation Using an Active Network Telescope

arXiv:2603.12300v1 Announce Type: new
Abstract: The increasing adoption of server-side component-based web frameworks has introduced new application-layer attack surfaces that remain insufficiently understood at Internet scale. On 3 December 2025, a critical remote code execution vulnerability (CVE-2025-55182) in React Server Components, referred to as React2Shell, was publicly disclosed and subsequently observed being exploited in the wild. Despite its critical severity and a CVSS base score of 10.0, there is limited empirical understanding of how this vulnerability is exploited across the Internet. This paper presents the first Internet-scale measurement study of React2Shell exploitation activity using traffic collected from an Active Network Telescope. We developed a deterministic detection methodology that identifies exploitation attempts targeting endpoints implementing React Server components. It helped analyze exploitation traffic to characterize its temporal evolution, geographic and autonomous system-level distribution, and behavioral properties of the observed scanning activity. In addition, exploit payloads are examined to understand the attacker infrastructure and delivery mechanisms. The analysis reported rapid post-disclosure exploitation activity exhibiting patterns consistent with automated scanning campaigns, geographically distributed scanners, and concentrated backend infrastructure. To the best of our knowledge, this work provides the first quantitative characterization of React2Shell-triggered scanning activity, including the number of distinct scanners, their geographic and autonomous system distribution, and the scale of backend infrastructure involved in exploitation attempts.