The U.S. Cybersecurity and Infrastructure Security Agency has urged federal agencies to apply patches for the critical React2Shell vulnerability by December 12, 2025, after the flaw was added to its Known Exploited Vulnerabilities catalog and the remediation deadline was later revised. Tracked as CVE-2025-55182 with a CVSS score of 10.0, the vulnerability affects the React Server Components Flight protocol and stems from unsafe deserialization that can let an attacker inject code executed by the server; other affected projects include Next.js, Waku, Vite, React Router and RedwoodSDK.
Cloudflare’s Cloudforce One has warned that a single specially crafted HTTP request is sufficient to exploit the flaw without authentication or user interaction, allowing attackers to execute arbitrary, privileged JavaScript on vulnerable servers, and is tracking ongoing exploitation activity.
Security firms have reported rapid, opportunistic exploitation since the vulnerability’s public disclosure in early December. Wiz said most activity has focused on internet-facing Next.js applications and containerised workloads running in Kubernetes and managed cloud services, while multiple campaigns have been observed delivering a variety of malware families.
Cloudflare’s analysis shows widespread scanning and asset discovery to locate exposed React and Next.js systems, with some probes excluding Chinese IP address ranges. The highest-density probing was seen against networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan and New Zealand, and activity has also been observed against government websites, academic institutions and critical infrastructure, including a national authority involved in the import and export of uranium, rare metals and nuclear fuel.
Honeypot data reported by Kaspersky recorded tens of thousands of exploitation attempts in a single day, with initial probes running commands such as whoami before dropping cryptocurrency miners, botnet variants and other malware, the vendor said. A security researcher has discovered an open directory containing a proof-of-concept exploit and target lists, and The Shadowserver Foundation’s data shows more than 137,200 internet-exposed IP addresses running vulnerable code as of December 11, with over 88,900 instances located in the United States.