top of page
perceptive_background_267k.jpg

React2Shell Exploitation Escalates into Large-Scale Global Attacks, Forcing Emergency Mitigation

Published:

12 december 2025 om 08:41:00

Alert date:

12 december 2025 om 09:01:40

Source:

thehackernews.com

Click to open the original link from this advisory

The U.S. CISA has issued an urgent directive for federal agencies to patch the critical React2Shell vulnerability (CVE-2025-55182) by December 12, 2025, due to widespread active exploitation. The vulnerability affects React Server Components Flight protocol with a maximum CVSS score of 10.0, caused by unsafe deserialization. The exploitation has escalated to large-scale global attacks, prompting emergency mitigation measures. This represents a critical threat requiring immediate attention and patching across affected systems.

Technical details

The React2Shell vulnerability (CVE-2025-55182) affects the React Server Components (RSC) Flight protocol. The underlying cause is unsafe deserialization that allows attackers to inject malicious logic that the server executes in a privileged context. A single, specially crafted HTTP request is sufficient with no authentication requirement, user interaction, or elevated permissions needed. Once successful, attackers can execute arbitrary, privileged JavaScript on the affected server. Over 35,000 exploitation attempts were recorded on a single day (December 10, 2025), with attackers first probing systems by running commands like 'whoami' before dropping cryptocurrency miners or botnet malware.

Mitigation steps:

CISA has urged federal agencies to patch the React2Shell vulnerability by December 12, 2025 (deadline revised from December 26). Organizations should apply fixes immediately, monitor for exploitation attempts, and scan for vulnerable React and Next.js applications. Over 137,200 internet-exposed IP addresses are running vulnerable code as of December 11, 2025.

Affected products:

React Server Components (RSC)
Next.js
Waku
Vite
React Router
RedwoodSDK

Related links:

https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-catalog
https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html
https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/
https://thehackernews.com/2025/12/north-korea-linked-actors-exploit.html
https://thehackernews.com/2025/12/react2shell-exploitation-delivers.html
https://thehackernews.com/2025/12/threatsday-bulletin-spyware-alerts.html#botnets-exploit-react-flaw
https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-55182
https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive
https://securelist.com/cve-2025-55182-exploitation/118331/
https://theravenfile.com/2025/12/12/react2shell-exploitation-in-the-wild/
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-55182%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-55182%2B&data_set=count&scale=log&auto_update=on

Related CVE's:

Related threat actors:

IOC's:

154.61.77[.]105:8082

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page