The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation.
The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization that allows an attacker to inject malicious logic that the server executes in a privileged context. It also affects other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK.
“A single, specially crafted HTTP request is sufficient; there is no authentication requirement, user interaction, or elevated permissions involved,” Cloudforce One, Cloudflare’s threat intelligence team, said. “Once successful, the attacker can execute arbitrary, privileged JavaScript on the affected server.”
Since its public disclosure on December 3, 2025, the shortcoming has been exploited by multiple threat actors in various campaigns to engage in reconnaissance efforts and deliver a wide range of malware families.
The development prompted CISA to add it to its Known Exploited Vulnerabilities catalog last Friday, giving federal agencies until December 26 to apply the fixes. The deadline has since been revised to December 12, 2025, an indication of the severity of the incident.
Cloud security company Wiz said it has observed a “rapid wave of opportunistic exploitation” of the flaw, with a vast majority of the attacks targeting internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services.
 |
| Image Source: Cloudflare |
Cloudflare, which is also tracking ongoing exploitation activity, said threat actors have conducted searches using internet-wide scanning and asset discovery platforms to find exposed systems running React and Next.js applications. Notably, some of the reconnaissance efforts have excluded Chinese IP address spaces from their searches.
“Their highest-density probing occurred against networks in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand – regions frequently associated with geopolitical intelligence collection priorities,” the web infrastructure company said.
The observed activity is also said to have targeted, albeit more selectively, government (.gov) websites, academic research institutions, and critical‑infrastructure operators. This included a national authority responsible for the import and export of uranium, rare metals, and nuclear fuel.
Some of the other notable findings are listed below –
- Prioritizing high‑sensitivity technology targets such as enterprise password managers and secure‑vault services, likely with the goal of perpetrating supply chain attacks
- Targeting edge‑facing SSL VPN appliances whose administrative interfaces may incorporate React-based components
- Early scanning and…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
