React2shell Exploitation Escalates Into Large-scale Global Attacks,...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation.

The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization that allows an attacker to inject malicious logic that the server executes in a privileged context. It also affects other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK.

"A single, specially crafted HTTP request is sufficient; there is no authentication requirement, user interaction, or elevated permissions involved," Cloudforce One, Cloudflare's threat intelligence team, said. "Once successful, the attacker can execute arbitrary, privileged JavaScript on the affected server."

Since its public disclosure on December 3, 2025, the shortcoming has been exploited by multiple threat actors in various campaigns to engage in reconnaissance efforts and deliver a wide range of malware families.

The development prompted CISA to add it to its Known Exploited Vulnerabilities catalog last Friday, giving federal agencies until December 26 to apply the fixes. The deadline has since been revised to December 12, 2025, an indication of the severity of the incident.

Cloud security company Wiz said it has observed a "rapid wave of opportunistic exploitation" of the flaw, with a vast majority of the attacks targeting internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services.

Cloudflare, which is also tracking ongoing exploitation activity, said threat actors have conducted searches using internet-wide scanning and asset discovery platforms to find exposed systems running React and Next.js applications. Notably, some of the reconnaissance efforts have excluded Chinese IP address spaces from their searches.

"Their highest-density probing occurred against networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand – regions frequently associated with geopolitical intelligence collection priorities," the web infrastructure company said.

The observed activity is also said to have targeted, albeit more selectively, government (.gov) websites, academic research institutions, and critical‑infrastructure operators. This included a national authority responsible for the import and export of uran

Source: The Hacker News