The critical vulnerability, tracked as CVE-2025-55182 with a CVSS score of 10.0, affects the React Server Components (RSC) Flight protocol. The root of the problem is an unsafe deserialization process that allows an attacker to inject malicious logic, which the server then executes in a privileged context. Beyond React, this issue also impacts other popular web development frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK.
Cloudforce One, Cloudflare’s threat intelligence team, described the ease of exploitation, stating that a single, specially crafted HTTP request is enough to trigger the vulnerability. Crucially, successful exploitation requires no prior authentication, user interaction, or elevated permissions. Once the attack succeeds, the adversary gains the ability to execute arbitrary, privileged JavaScript commands directly on the compromised server.
Since the public disclosure of the flaw on December 3, 2025, multiple distinct threat actors have been leveraging this shortcoming in various malicious campaigns. These attacks have included engaging in reconnaissance to map out targeted networks and delivering a wide variety of malware families to gain persistent access or further compromise systems.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
The immediate and severe threat posed by the vulnerability prompted CISA to quickly add it to its Known Exploited Vulnerabilities catalog. Initially, federal agencies were given a deadline of December 26 to apply the necessary fixes. However, the deadline was rapidly revised and accelerated to December 12, 2025, which underscores the extreme severity of the incident and the urgent need to mitigate the threat.
Cloud security firm Wiz reported observing a “rapid wave of opportunistic exploitation” targeting this flaw. They noted that the vast majority of these observed attacks are specifically aimed at internet-facing Next.js applications and other containerized workloads that are running in Kubernetes environments and various managed cloud services.
Source: React2Shell Exploitation Escalates Into Large Scale Global Attacks