- The U.S. Cybersecurity and Infrastructure Security Agency has mandated federal agencies to patch the React2Shell vulnerability by December 12, 2025.
- React2Shell (CVE-2025-55182) is a critical remote code execution flaw in the React Server Components Flight protocol and affects multiple popular JavaScript frameworks.
- Threat actors are actively exploiting this vulnerability, with high targeting of internet-facing Next.js applications and cloud workloads.
- Scanning and attacks have focused on regions linked to geopolitical interests and critical infrastructure, including government and research institutions.
- More than 137,200 internet-exposed systems remain vulnerable worldwide, with over 88,900 located in the United States as of early December 2025.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive for federal agencies to apply patches for the React2Shell vulnerability by December 12, 2025. This critical security flaw, tracked as CVE-2025-55182 with a maximum CVSS score of 10.0, affects the React Server Components (RSC) Flight protocol and enables attackers to execute arbitrary code on affected servers. The vulnerability also impacts frameworks such as Next.js, Waku, Vite, React Router, and RedwoodSDK.
The root cause of React2Shell is unsafe deserialization, allowing an attacker to send a single specially crafted HTTP request—without needing authentication or user interaction—to run privileged JavaScript on vulnerable servers. Cloudflare‘s threat intelligence team explained that this flaw grants attackers remote code execution capabilities, which has led to widespread exploitation since the vulnerability was publicly disclosed on December 3, 2025.
Multiple threat actors have launched campaigns exploiting the flaw for reconnaissance and delivering various Malware types, including cryptocurrency miners and botnets like Mirai and Gafgyt. Wiz reported a rapid increase in opportunistic exploitation, mainly targeting publicly accessible Next.js applications and containerized workloads in Kubernetes and managed cloud environments.
Cloudflare noted that attackers use internet-wide scanning tools to identify exposed systems running React and Next.js. Scanning has notably omitted Chinese IP addresses and focused heavily on networks in Taiwan, Xinjiang, Vietnam, Japan, and New Zealand—regions often tied to geopolitical intelligence efforts. Targeted entities also include government websites, academic institutions, critical infrastructure operators, and national authorities managing sensitive imports and exports.
Further findings include attacks on high-sensitivity technology targets like enterprise password managers, edge-facing SSL VPN appliances with React-based interfaces, and the presence of initial scanning activity from IP addresses linked to Asia-affiliated threat groups. According to analysis from Kaspersky, over 35,000 exploitation attempts were observed on a single day, December 10, 2025.
Security researcher Rakesh Krishnan identified an open directory Hosting proof-of-concept exploit code alongside lists containing over 35,000 domains and nearly 600 targeted URLs, suggesting active scanning and infection campaigns. Data from The Shadowserver Foundation indicates more than 137,200 vulnerable internet-facing IP addresses globally, with the highest counts in the United States (88,900), Germany (10,900), France (5,500), and India (3,600).
The escalating exploitation led CISA to add this vulnerability to its Known Exploited Vulnerabilities catalog, initially setting a remediation deadline of December 26, 2025, which was later moved forward to December 12, reflecting the critical nature of the threat. Details and advisories regarding this vulnerability can be found on the official CISA alert and through expert analysis from Cloudflare, Wiz, and Kaspersky.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
