Saved in:
Bibliographic Details
Main Authors: Singh, Aakash, Yadav, Kuldeep Singh, Ansari, Md Talib Hasan, Kumar, V. Anil
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.12300
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866912963607134208
author Singh, Aakash
Yadav, Kuldeep Singh
Ansari, Md Talib Hasan
Kumar, V. Anil
author_facet Singh, Aakash
Yadav, Kuldeep Singh
Ansari, Md Talib Hasan
Kumar, V. Anil
contents The increasing adoption of server-side component-based web frameworks has introduced new application-layer attack surfaces that remain insufficiently understood at Internet scale. On 3 December 2025, a critical remote code execution vulnerability (CVE-2025-55182) in React Server Components, referred to as React2Shell, was publicly disclosed and subsequently observed being exploited in the wild. Despite its critical severity and a CVSS base score of 10.0, there is limited empirical understanding of how this vulnerability is exploited across the Internet. This paper presents the first Internet-scale measurement study of React2Shell exploitation activity using traffic collected from an Active Network Telescope. We developed a deterministic detection methodology that identifies exploitation attempts targeting endpoints implementing React Server components. It helped analyze exploitation traffic to characterize its temporal evolution, geographic and autonomous system-level distribution, and behavioral properties of the observed scanning activity. In addition, exploit payloads are examined to understand the attacker infrastructure and delivery mechanisms. The analysis reported rapid post-disclosure exploitation activity exhibiting patterns consistent with automated scanning campaigns, geographically distributed scanners, and concentrated backend infrastructure. To the best of our knowledge, this work provides the first quantitative characterization of React2Shell-triggered scanning activity, including the number of distinct scanners, their geographic and autonomous system distribution, and the scale of backend infrastructure involved in exploitation attempts.
format Preprint
id arxiv_https___arxiv_org_abs_2603_12300
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Internet-Scale Measurement of React2Shell Exploitation Using an Active Network Telescope
Singh, Aakash
Yadav, Kuldeep Singh
Ansari, Md Talib Hasan
Kumar, V. Anil
Cryptography and Security
Networking and Internet Architecture
The increasing adoption of server-side component-based web frameworks has introduced new application-layer attack surfaces that remain insufficiently understood at Internet scale. On 3 December 2025, a critical remote code execution vulnerability (CVE-2025-55182) in React Server Components, referred to as React2Shell, was publicly disclosed and subsequently observed being exploited in the wild. Despite its critical severity and a CVSS base score of 10.0, there is limited empirical understanding of how this vulnerability is exploited across the Internet. This paper presents the first Internet-scale measurement study of React2Shell exploitation activity using traffic collected from an Active Network Telescope. We developed a deterministic detection methodology that identifies exploitation attempts targeting endpoints implementing React Server components. It helped analyze exploitation traffic to characterize its temporal evolution, geographic and autonomous system-level distribution, and behavioral properties of the observed scanning activity. In addition, exploit payloads are examined to understand the attacker infrastructure and delivery mechanisms. The analysis reported rapid post-disclosure exploitation activity exhibiting patterns consistent with automated scanning campaigns, geographically distributed scanners, and concentrated backend infrastructure. To the best of our knowledge, this work provides the first quantitative characterization of React2Shell-triggered scanning activity, including the number of distinct scanners, their geographic and autonomous system distribution, and the scale of backend infrastructure involved in exploitation attempts.
title Internet-Scale Measurement of React2Shell Exploitation Using an Active Network Telescope
topic Cryptography and Security
Networking and Internet Architecture
url https://arxiv.org/abs/2603.12300