The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has urged federal businesses to patch the current React2Shell vulnerability by December 12, 2025, amid experiences of widespread exploitation.
The crucial vulnerability, tracked as CVE-2025-55182 (CVSS rating: 10.0), impacts the React Server Parts (RSC) Flight protocol. The underlying reason behind the difficulty is an unsafe deserialization that permits an attacker to inject malicious logic that the server executes in a privileged context. It additionally impacts different frameworks, together with Subsequent.js, Waku, Vite, React Router, and RedwoodSDK.
“A single, specifically crafted HTTP request is enough; there isn’t a authentication requirement, consumer interplay, or elevated permissions concerned,” Cloudforce One, Cloudflare’s risk intelligence group, mentioned. “As soon as profitable, the attacker can execute arbitrary, privileged JavaScript on the affected server.”
Since its public disclosure on December 3, 2025, the shortcoming has been exploited by a number of risk actors in numerous campaigns to interact in reconnaissance efforts and ship a variety of malware households.
The event prompted CISA so as to add it to its Recognized Exploited Vulnerabilities catalog final Friday, giving federal businesses till December 26 to use the fixes. The deadline has since been revised to December 12, 2025, a sign of the severity of the incident.
Cloud safety firm Wiz mentioned it has noticed a “speedy wave of opportunistic exploitation” of the flaw, with a overwhelming majority of the assaults concentrating on internet-facing Subsequent.js functions and different containerized workloads working in Kubernetes and managed cloud providers.
 |
| Picture Supply: Cloudflare |
Cloudflare, which can also be monitoring ongoing exploitation exercise, mentioned risk actors have carried out searches utilizing internet-wide scanning and asset discovery platforms to search out uncovered methods working React and Subsequent.js functions. Notably, among the reconnaissance efforts have excluded Chinese language IP tackle areas from their searches.
“Their highest-density probing occurred in opposition to networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand – areas continuously related to geopolitical intelligence assortment priorities,” the online infrastructure firm mentioned.
The noticed exercise can also be mentioned to have focused, albeit extra selectively, authorities (.gov) web sites, educational analysis establishments, and demanding‑infrastructure operators. This included a nationwide authority liable for the import and export of uranium, uncommon metals, and nuclear gas.
Among the different notable findings are listed under –
- Prioritizing excessive‑sensitivity expertise targets resembling enterprise password managers and safe‑vault providers, probably with the objective of perpetrating provide chain assaults
- Concentrating on edge‑dealing with SSL VPN home equipment whose administrative interfaces might incorporate React-based parts
- Early scanning and exploitation makes an attempt originated from IP addresses beforehand related to Asia-affiliated risk clusters
In its personal evaluation of honeypot information, Kaspersky mentioned it recorded over 35,000 exploitation makes an attempt on a single day on December 10, 2025, with the attackers first probing the system by working instructions like whoami, earlier than dropping cryptocurrency miners or botnet malware households like Mirai/Gafgyt variants and RondoDox.
Among the different noticed payloads embody Cobalt Strike beacons, Sliver, Quick Reverse Proxy (FRP), a monitoring software named Nezha, a Node.js payload that harvests delicate recordsdata and weaponizes TruffleHog and Gitleaks to gather secrets and techniques, and a Go-based backdoor with reverse shell, reconnaissance, and command-and-control (C2) capabilities.
In parallel, React2Shell is estimated to have produced over 140 in-the-wild proof-of-concept exploits of various high quality, with about half of them damaged, deceptive, or in any other case unusable, per VulnCheck. The remaining exploit repositories include logic to load in-memory net shells like Godzilla, scan for the flaw, and even deploy a light-weight net software firewall (WAF) to dam malicious payloads.
Safety researcher Rakesh Krishnan has additionally found an open listing hosted on “154.61.77[.]105:8082” that features a proof-of-concept (PoC) exploit script for CVE-2025–55182 together with two different recordsdata –
- “domains.txt,” which incorporates an inventory of 35,423 domains
- “next_target.txt,” which incorporates an inventory of 596 URLs, together with firms like Dia Browser, Starbucks, Porsche, and Lululemon
It has been assessed that the unidentified risk actor is actively scanning the web based mostly on targets added to the second file, infecting a whole lot of pages within the course of.
Cybersecurity and cyber insurance coverage firm Coalition has likened React2Shell to the 2021 Log4Shell vulnerability (CVE-2021-44228), describing it as a “systemic cyber danger aggregation occasion.”
In accordance with the newest information from The Shadowserver Basis, there are greater than 137,200 internet-exposed IP addresses working weak code as of December 11, 2025. Of those, over 88,900 cases are positioned within the U.S., adopted by Germany (10,900), France (5,500), and India (3,600).
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s developments right now: learn extra, subscribe to our e-newsletter, and turn out to be a part of the NextTech group at NextTech-news.com
