React2Shell Vulnerability Sparks Urgent Mitigation Efforts Globally

The U.S. Cybersecurity and Infrastructure Security Agency, CISA, has urged federal agencies to patch the React2Shell vulnerability, tracked as CVE-2025-55182, by December 12, 2025, amid widespread exploitation reports.

This critical vulnerability, with a CVSS score of 10.0, affects the React Server Components Flight protocol and is rooted in unsafe deserialization, allowing attackers to inject malicious logic that the server executes in a privileged context.

The flaw also impacts frameworks including Next.js, Waku, Vite, React Router, and RedwoodSDK. Cloudforce One, Cloudflare's threat intelligence team, stated that a single crafted HTTP request is sufficient to exploit this vulnerability, requiring no authentication, user interaction, or elevated permissions.

Successful exploitation enables attackers to execute arbitrary, privileged JavaScript on the affected server. Following its public disclosure on December 3, 2025, the vulnerability has been exploited by multiple threat actors for reconnaissance and malware delivery.

As a response, CISA included React2Shell in its Known Exploited Vulnerabilities catalog, initially giving federal agencies until December 26 to apply fixes, which has since been revised to December 12, indicating the severity of the situation.

Cloud security company Wiz reported a rapid wave of opportunistic exploitation, with attacks primarily targeting internet-facing Next.js applications and containerized workloads on Kubernetes and managed cloud services.

Cloudflare also reported ongoing exploitation activity, with threat actors using internet-wide scanning to identify exposed systems running React and Next.js applications. Notably, reconnaissance efforts have excluded Chinese IP addresses, focusing instead on networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand, often associated with geopolitical intelligence collection.

Attacks have also been selectively targeting government websites, academic institutions, and critical infrastructure operators, including a national authority responsible for uranium and nuclear fuel import and export.

Kaspersky recorded over 35,000 exploitation attempts in a single day on December 10, 2025, with attackers probing systems and deploying various malware, including cryptocurrency miners and botnet variants.

React2Shell has produced over 140 in-the-wild proof-of-concept exploits, with half assessed as broken or unusable. Security researcher Rakesh Krishnan discovered an open directory with a proof-of-concept exploit script and lists of targeted domains and URLs.

Coalition has compared React2Shell to the 2021 Log4Shell vulnerability, calling it a systemic cyber risk aggregation event. Current data from The Shadowserver Foundation indicates over 137,200 internet-exposed IP addresses running vulnerable code, with the largest concentration in the U.S., followed by Germany, France, and India.