The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for federal agencies to patch the critical React2Shell vulnerability by December 12, 2025, due to widespread exploitation observed by multiple threat actors. The vulnerability, identified as CVE-2025-55182 with a CVSS score of 10.0, presents a severe security risk across various JavaScript frameworks.
Specifically, the React2Shell flaw impacts the React Server Components (RSC) Flight protocol due to an unsafe deserialization process. This vulnerability allows attackers to execute arbitrary, privileged JavaScript code on affected servers without requiring authentication, user interaction, or elevated permissions. The issue also extends to popular frameworks like Next.js, Waku, Vite, React Router, and RedwoodSDK, amplifying its potential impact.
Widespread Exploitation of React2Shell Vulnerability
The severity of the React2Shell vulnerability has been underscored by its rapid inclusion in CISA’s Known Exploited Vulnerabilities catalog. Reports from threat intelligence firm Cloudflare indicate that malicious actors have been actively exploiting this flaw since its public disclosure on December 3, 2025. These exploitation campaigns have been used for reconnaissance and to deploy a diverse array of malware.
Cloud security company Wiz has also reported observing a “rapid wave of opportunistic exploitation.” The majority of these attacks are targeting internet-facing Next.js applications, particularly those deployed within containerized environments like Kubernetes and managed cloud services. This widespread targeting highlights the pervasive nature of applications utilizing the vulnerable components.
Attacker Tactics and Targets
Threat actors are employing internet-wide scanning and asset discovery platforms to identify exposed systems running React and Next.js applications, according to Cloudflare. Notably, some reconnaissance efforts appear to exclude Chinese IP address spaces, a tactic that could indicate specific operational security measures or targeting preferences by the attackers.
The highest densities of probing activity have been observed against networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand. Cloudflare suggests these regions are often associated with geopolitical intelligence collection priorities, implying a potential state-sponsored element to some of the attacks.
Beyond these regions, attacks have also selectively targeted government (.gov) websites, academic research institutions, and critical infrastructure operators. One identified target was a national authority responsible for the import and export of sensitive materials like uranium, rare metals, and nuclear fuel, indicating a broad range of potential targets.
Further analysis by Cloudflare reveals attackers are prioritizing high-sensitivity technology targets. These include enterprise password managers and secure-vault services, suggesting an intent to facilitate supply chain attacks. Additionally, edge-facing SSL VPN appliances with React-based administrative interfaces have been targeted. Early exploitation attempts have been traced back to IP addresses previously linked to Asia-affiliated threat clusters.
Depth of Exploitation and Impact
Kaspersky’s analysis of honeypot data revealed an alarming volume of exploitation attempts, with over 35,000 recorded on a single day, December 10, 2025. Initial probes often involve simple commands like “whoami” to assess system status before deploying more sophisticated payloads. These payloads have included cryptocurrency miners and botnet malware families such as Mirai/Gafgyt variants and RondoDox.
Security researcher Rakesh Krishnan discovered an open directory containing a proof-of-concept (PoC) exploit script for CVE-2025–55182. This directory also included a list of 35,423 domains and 596 specific URLs, encompassing well-known entities like Dia Browser, Starbucks, Porsche, and Lululemon. This suggests the threat actor is actively scanning the internet and infecting numerous pages by targeting entries in these lists.
The global reach of the vulnerability is substantial. As of December 11, 2025, The Shadowserver Foundation reported over 137,200 internet-exposed IP addresses running vulnerable code. The United States accounts for the largest portion, with over 88,900 instances, followed by Germany (10,900), France (5,500), and India (3,600). This broad geographic distribution necessitates widespread patching efforts.
CISA’s revised deadline of December 12, 2025, for federal agencies underscores the critical nature of this vulnerability. The ongoing exploitation and the broad range of affected technologies mean that organizations relying on React and related frameworks must prioritize immediate patching to mitigate the risk of further compromise.