Global React2Shell Attacks Spur Emergency Patching

A critical React2Shell flaw is fueling large-scale, real-world attacks, pushing U.S. federal agencies and enterprises worldwide into rapid mitigation mode.

Why it matters: CISA has added CVE-2025-55182 (CVSS 10.0) to its Known Exploited Vulnerabilities catalog and accelerated the deadline for federal remediation to December 12, 2025, underscoring the risk of systemic compromise.

What’s vulnerable: The bug resides in the React Server Components (RSC) Flight protocol and stems from unsafe deserialization, allowing arbitrary, privileged JavaScript execution via a single unauthenticated HTTP request. Impacted ecosystems include React, Next.js, Waku, Vite, React Router, and RedwoodSDK.

Active exploitation at scale: Since public disclosure on December 3, 2025, multiple threat actors have used automated scanning, reconnaissance, and malware delivery across internet-facing apps—especially Next.js running in Kubernetes and managed cloud environments.

Key developments and findings:

• CISA tightened the compliance window from December 26 to December 12, 2025, reflecting incident severity.
• Cloudflare reports widespread scans focused on exposed React/Next.js apps, with some campaigns excluding Chinese IP ranges. High-density probing targeted Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand.
• Targets extend beyond typical enterprises to select government (.gov) sites, academic research institutions, and critical infrastructure—including a national authority overseeing uranium, rare metals, and nuclear fuel.
• Wiz notes a "rapid wave of opportunistic exploitation" against internet-facing Next.js workloads.
• Kaspersky honeypots recorded 35,000+ exploit attempts on December 10 alone, with actors first running reconnaissance commands (e.g., "whoami") before deploying crypto miners and botnets.

Observed payloads and toolchains:

• Botnets and monetization: Mirai/Gafgyt variants, RondoDox, and crypto miners
• Post-exploitation: Cobalt Strike, Sliver, Fast Reverse Proxy (FRP), Nezha
• Data theft and secrets grabbing: A Node.js payload that harvests sensitive files and leverages TruffleHog and Gitleaks
• Custom backdoors: A Go-based implant with reverse shell, recon, and C2

PoCs and attacker tactics:

• VulnCheck tracked 140+ in-the-wild proof-of-concept exploits; about half are broken or misleading. Working repos commonly load in-memory web shells like Godzilla, scan for vulnerable endpoints, and even deploy lightweight WAF rules to block competing payloads.
• Researcher Rakesh Krishnan found an open directory (154.61.77[.]105:8082) hosting a PoC for CVE-2025-55182 plus two lists: "domains.txt" (35,423 domains) and "next_target.txt" (596 URLs spanning well-known brands such as Dia Browser, Starbucks, Porsche, and Lululemon). The actor is actively updating targets and infecting hundreds of pages.

Strategic risk outlook:

• Coalition compares React2Shell to Log4Shell, calling it a "systemic cyber risk aggregation event."
• Shadowserver counts 137,200+ internet-exposed IPs running vulnerable code as of December 11, 2025—88,900+ in the U.S., followed by Germany (~10,900), France (~5,500), and India (~3,600).

What to do now:

• Patch immediately across React/Next.js and related frameworks; prioritize internet-facing and containerized workloads.
• Inventory RSC/Next.js assets, tighten WAF/edge rules, and restrict administrative interfaces.
• Monitor for early-stage recon (e.g., "whoami"), in-memory web shells (e.g., Godzilla), suspicious Node.js/Go processes, and scanning from known malicious IPs.
• Rotate exposed secrets and review CI/CD, vault, and VPN surfaces that may embed React-based components.

Source: The Hacker News