Internet-Scale Measurement of React2Shell Exploitation Using an Active Network Telescope

Computer Science > Cryptography and Security [Submitted on 12 Mar 2026] Internet-Scale Measurement of React2Shell Exploitation Using an Active Network Telescope Aakash Singh, Kuldeep Singh Yadav, Md Talib Hasan Ansari, V. Anil Kumar The increasing adoption of server-side component-based web frameworks has introduced new application-layer attack surfaces that remain insufficiently understood at Internet scale. On 3 December 2025, a critical remote code execution vulnerability (CVE-2025-55182) in React Server Components, referred to as React2Shell, was publicly disclosed and subsequently observed being exploited in the wild. Despite its critical severity and a CVSS base score of 10.0, there is limited empirical understanding of how this vulnerability is exploited across the Internet. This paper presents the first Internet-scale measurement study of React2Shell exploitation activity using traffic collected from an Active Network Telescope. We developed a deterministic detection methodology that identifies exploitation attempts targeting endpoints implementing React Server components. It helped analyze exploitation traffic to characterize its temporal evolution, geographic and autonomous system-level distribution, and behavioral properties of the observed scanning activity. In addition, exploit payloads are examined to understand the attacker infrastructure and delivery mechanisms. The analysis reported rapid post-disclosure exploitation activity exhibiting patterns consistent with automated scanning campaigns, geographically distributed scanners, and concentrated backend infrastructure. To the best of our knowledge, this work provides the first quantitative characterization of React2Shell-triggered scanning activity, including the number of distinct scanners, their geographic and autonomous system distribution, and the scale of backend infrastructure involved in exploitation attempts. Subjects: Cryptography and Security (cs.CR); Networking and Internet Architecture (cs.NI) Cite as: arXiv:2603.12300 [cs.CR]   (or arXiv:2603.12300v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2603.12300 Focus to learn more Submission history From: Kuldeep Singh Yadav PhD [view email] [v1] Thu, 12 Mar 2026 05:29:00 UTC (1,584 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-03 Change to browse by: cs cs.NI References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)