Key Takeaways
- The React2Shell vulnerability, tracked as CVE-2025-55182, is a critical flaw that affects the React Server Components (RSC) Flight protocol and other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK.
- The vulnerability allows an attacker to inject malicious logic that the server executes in a privileged context, with no authentication requirement, user interaction, or elevated permissions involved.
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the vulnerability by December 12, 2025, amid reports of widespread exploitation.
- The flaw has been exploited by multiple threat actors to engage in reconnaissance efforts and deliver a wide range of malware families, with over 137,200 internet-exposed IP addresses running vulnerable code as of December 11, 2025.
Introduction to the Vulnerability
The React2Shell vulnerability is a critical flaw that affects the React Server Components (RSC) Flight protocol and other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK. The underlying cause of the issue is an unsafe deserialization that allows an attacker to inject malicious logic that the server executes in a privileged context. This means that an attacker can execute arbitrary, privileged JavaScript on the affected server, with no authentication requirement, user interaction, or elevated permissions involved. The vulnerability was publicly disclosed on December 3, 2025, and has since been exploited by multiple threat actors in various campaigns.
Exploitation and Attacks
Since its public disclosure, the React2Shell vulnerability has been exploited by multiple threat actors to engage in reconnaissance efforts and deliver a wide range of malware families. According to Cloudforce One, Cloudflare’s threat intelligence team, a single, specially crafted HTTP request is sufficient to exploit the vulnerability, with no authentication requirement, user interaction, or elevated permissions involved. The team has observed a "rapid wave of opportunistic exploitation" of the flaw, with a vast majority of the attacks targeting internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services. The observed activity has also targeted, albeit more selectively, government (.gov) websites, academic research institutions, and critical-infrastructure operators.
Targeting and Reconnaissance
The attackers have conducted searches using internet-wide scanning and asset discovery platforms to find exposed systems running React and Next.js applications. Notably, some of the reconnaissance efforts have excluded Chinese IP address spaces from their searches. The highest-density probing occurred against networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand – regions frequently associated with geopolitical intelligence collection priorities. The attackers have also targeted high-sensitivity technology targets such as enterprise password managers and secure-vault services, likely with the goal of perpetrating supply chain attacks. Additionally, they have targeted edge-facing SSL VPN appliances whose administrative interfaces may incorporate React-based components.
Payloads and Exploits
The attackers have dropped various payloads, including cryptocurrency miners, botnet malware families like Mirai/Gafgyt variants and RondoDox, Cobalt Strike beacons, Sliver, Fast Reverse Proxy (FRP), and a monitoring tool named Nezha. Kaspersky recorded over 35,000 exploitation attempts on a single day on December 10, 2025, with the attackers first probing the system by running commands like whoami, before dropping malware. React2Shell is estimated to have produced over 140 in-the-wild proof-of-concept exploits of varying quality, with about half of them broken, misleading, or otherwise unusable. The remaining exploit repositories contain logic to load in-memory web shells like Godzilla, scan for the flaw, and even deploy a lightweight web application firewall (WAF) to block malicious payloads.
Conclusion and Recommendations
The React2Shell vulnerability is a critical flaw that affects the React Server Components (RSC) Flight protocol and other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK. The vulnerability has been exploited by multiple threat actors to engage in reconnaissance efforts and deliver a wide range of malware families. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the vulnerability by December 12, 2025, amid reports of widespread exploitation. It is essential for organizations to patch the vulnerability as soon as possible to prevent exploitation and protect their systems from malicious attacks. Additionally, organizations should monitor their systems for any suspicious activity and implement security measures such as web application firewalls (WAFs) to block malicious payloads.
