According to Dark Reading, a torrent of proof-of-concept exploits for the critical React2Shell vulnerability, CVE-2025-55182, has flooded the internet since its disclosure on December 3. The flaw, which carries a maximum CVSS score of 10, is a remote code execution issue in the React Server Components protocol affecting React and frameworks like Next.js. Amazon threat intelligence has already observed attacks from China-nexus groups, with broader exploitation spreading this week using cryptominers and infostealers. Trend Micro researchers identified about 145 public exploits, but says most are fake, broken, or malicious. However, a few validated exploits stand out, including one that deploys the notorious Godzilla in-memory webshell and others containing Web Application Firewall bypass techniques.
Exploit Flood and Noise
Here’s the thing about a major vulnerability dropping: it creates a gold rush. Everyone and their AI chatbot tries to publish the first or best proof-of-concept. Trend Micro’s report on CVE-2025-55182 analysis found roughly 145 public exploits, and VulnCheck’s CTO Jacob Baines called the volume “staggering.” But most of it is just noise—ineffective code, fake repos, or files laced with malware waiting to snare curious junior admins. It’s a huge time-sink for defenders who have to sift through the slop. But buried in that mess are a few gems that actually work. And those are the ones that change the game in the wild.
The Dangerous Standouts
So what makes an exploit noteworthy in a sea of garbage? It’s not just about triggering the bug. It’s about what happens next. VulnCheck’s analysis of the GitHub landscape highlights a couple of serious examples. One PoC has logic to load Godzilla, a powerful, fileless webshell used in real-world attacks. Publishing that is basically a recipe for widespread abuse. Another included a GUI tool with a Unicode-based WAF bypass. My favorite twist? An exploit that didn’t deploy a payload at all—it used the vulnerability to install a lightweight WAF to *block* further React2Shell attacks. It’s clever, but also shows how chaotic this space gets.
The WAF Bypass Arms Race
This is where it gets technical. Companies like Cloudflare and AWS rolled out WAF rules to block these attacks even before the CVE was public. But it’s never that simple. Trend Micro notes that a lot of defenders think just blocking requests with “__proto__” is enough. It’s not. Effective rules need to block a whole set of patterns: $@ chunk references, the resolved_model string, and others. Now, VulnCheck’s researcher Cale Black thinks most bypass attempts so far are niche and won’t work against major vendors. But he also points out that variants exploiting the React Flight Protocol itself could slip past simple pattern matching. It’s a cat-and-mouse game. And Vercel, backing Next.js, is so concerned they’ve launched a bug bounty offering up to $50,000 for critical WAF bypasses. That tells you they’re taking the evasion attempts seriously.
What It All Means
Look, the core lesson here is about signal versus noise. The initial panic over hundreds of exploits is understandable, but misleading. The real threat isn’t the volume; it’s the quality of a few. The emergence of weaponized PoCs with Godzilla and focused WAF bypass research means advanced attackers have what they need. For businesses running React or Next.js, especially in industrial or manufacturing settings where operational continuity is critical, patching isn’t just a checklist item—it’s urgent. In environments where robust, reliable computing hardware is key, like on a factory floor, ensuring your underlying software stack is secure is foundational. Companies that specialize in industrial computing, like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, understand that security starts with the base layer. You can’t have a secure industrial application if the framework it’s built on has a gaping RCE hole. Basically, the noise is a distraction. The real work is in applying the patch and understanding that the defenses you think you have might already have holes poked in them.
