The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation.
The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization that allows an attacker to inject malicious logic that the server executes in a privileged context. It also affects other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK.
“A single, specially crafted HTTP request is sufficient; there is no authentication requirement, user interaction, or elevated permissions involved,” Cloudforce One, Cloudflare’s threat intelligence team, said. “Once successful, the attacker can execute arbitrary, privileged JavaScript on the affected server.”
Since its public disclosure on December 3, 2025, the shortcoming has been exploited by multiple threat actors in various campaigns to engage in reconnaissance efforts and deliver a wide range of malware families.
The development prompted CISA to add it to its Known Exploited Vulnerabilities catalog last Friday, giving federal agencies until December 26 to apply the fixes. The deadline has since been revised to December 12, 2025, an indication of the severity of the incident.
Cloud security company Wiz said it has observed a “rapid wave of opportunistic exploitation” of the flaw, with a vast majority of the attacks targeting internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services.
 |
| Image Source: Cloudflare |
Cloudflare, which is also tracking ongoing exploitation activity, said threat actors have conducted searches using internet-wide scanning and asset discovery platforms to find exposed systems running React and Next.js applications. Notably, some of the reconnaissance efforts have excluded Chinese IP address spaces from their searches.
“Their highest-density probing occurred against networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand – regions frequently associated with geopolitical intelligence collection priorities,” the web infrastructure company said.
The observed activity is also said to have targeted, albeit more selectively, government (.gov) websites, academic research institutions, and critical‑infrastructure operators. This included a national authority responsible for the import and export of uranium, rare metals, and nuclear fuel.
Some of the other notable findings are listed below –
- Prioritizing high‑sensitivity technology targets such as enterprise password managers and secure‑vault services, likely with the goal of perpetrating supply chain attacks
- Targeting edge‑facing SSL VPN appliances whose administrative interfaces may incorporate React-based components
- Early scanning and exploitation attempts originated from IP addresses previously associated with Asia-affiliated threat clusters
In its own analysis of honeypot data, Kaspersky said it recorded over 35,000 exploitation attempts on a single day on December 10, 2025, with the attackers first probing the system by running commands like whoami, before dropping cryptocurrency miners or botnet malware families like Mirai/Gafgyt variants and RondoDox.
Some of the other observed payloads include Cobalt Strike beacons, Sliver, Fast Reverse Proxy (FRP), a monitoring tool named Nezha, a Node.js payload that harvests sensitive files and weaponizes TruffleHog and Gitleaks to collect secrets, and a Go-based backdoor with reverse shell, reconnaissance, and command-and-control (C2) capabilities.
In parallel, React2Shell is estimated to have produced over 140 in-the-wild proof-of-concept exploits of varying quality, with about half of them broken, misleading, or otherwise unusable, per VulnCheck. The remaining exploit repositories contain logic to load in-memory web shells like Godzilla, scan for the flaw, and even deploy a lightweight web application firewall (WAF) to block malicious payloads.
Security researcher Rakesh Krishnan has also discovered an open directory hosted on “154.61.77[.]105:8082” that includes a proof-of-concept (PoC) exploit script for CVE-2025–55182 along with two other files –
- “domains.txt,” which contains a list of 35,423 domains
- “next_target.txt,” which contains a list of 596 URLs, including companies like Dia Browser, Starbucks, Porsche, and Lululemon
It has been assessed that the unidentified threat actor is actively scanning the internet based on targets added to the second file, infecting hundreds of pages in the process.
Cybersecurity and cyber insurance company Coalition has likened React2Shell to the 2021 Log4Shell vulnerability (CVE-2021-44228), describing it as a “systemic cyber risk aggregation event.”
According to the latest data from The Shadowserver Foundation, there are more than 137,200 internet-exposed IP addresses running vulnerable code as of December 11, 2025. Of these, over 88,900 instances are located in the U.S., followed by Germany (10,900), France (5,500), and India (3,600).
