Ethical Hacking News
A critical vulnerability in web frameworks such as React and Next.js has been exploited by threat actors on a large scale, prompting global cybersecurity alert. The React2Shell vulnerability has been identified as a critical issue that requires immediate attention, with over 137,200 internet-exposed IP addresses running vulnerable code detected as of December 11, 2025.
The React2Shell vulnerability (CVE-2025-55182) has been exploited by threat actors to engage in reconnaissance efforts and deliver malware. The vulnerability affects the React Server Components (RSC) Flight protocol and allows an attacker to inject malicious logic with a single HTTP request. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog, with a revised deadline of December 12, 2025, for federal agencies to apply fixes. Threat actors have targeted internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services. The attacks appear to be coming from Asia-affiliated threat clusters, with some targeting high-sensitivity technology targets like enterprise password managers. Over 35,000 exploitation attempts were recorded on a single day in December 2025, highlighting the severity of the situation.
The recent emergence of the React2Shell vulnerability has sent shockwaves throughout the cybersecurity community, as it has been exploited by threat actors in various campaigns to engage in reconnaissance efforts and deliver a wide range of malware families. The vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol, and has been identified as a critical issue that requires immediate attention.
According to Cloudforce One, Cloudflare's threat intelligence team, the underlying cause of the issue is an unsafe deserialization that allows an attacker to inject malicious logic that the server executes in a privileged context. This means that a single, specially crafted HTTP request is sufficient to exploit the vulnerability, with no authentication requirement, user interaction, or elevated permissions involved. Once successful, the attacker can execute arbitrary, privileged JavaScript on the affected server.
The development prompted CISA (Cybersecurity and Infrastructure Security Agency) to add the React2Shell vulnerability to its Known Exploited Vulnerabilities catalog last Friday, giving federal agencies until December 26 to apply the fixes. However, due to the severity of the incident, the deadline has been revised to December 12, 2025, an indication of the severity of the situation.
Cloud security company Wiz observed a "rapid wave of opportunistic exploitation" of the flaw, with a vast majority of the attacks targeting internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services. Threat actors have conducted searches using internet-wide scanning and asset discovery platforms to find exposed systems running React and Next.js applications.
Notably, some of the reconnaissance efforts have excluded Chinese IP address spaces from their searches. However, this is not to say that no malicious activity has been observed in China; rather, it suggests a level of sophistication on the part of the attackers. The observed activity targeted, albeit more selectively, government (.gov) websites, academic research institutions, and critical-infrastructure operators.
This included a national authority responsible for the import and export of uranium, rare metals, and nuclear fuel. Some threat actors have prioritized high-sensitivity technology targets such as enterprise password managers and secure-vault services, likely with the goal of perpetrating supply chain attacks.
Other notable findings include the targeting of edge-facing SSL VPN appliances whose administrative interfaces may incorporate React-based components. Early scanning and exploitation attempts originated from IP addresses previously associated with Asia-affiliated threat clusters.
In its own analysis of honeypot data, Kaspersky recorded over 35,000 exploitation attempts on a single day on December 10, 2025, with the attackers first probing the system by running commands like whoami, before dropping cryptocurrency miners or botnet malware families like Mirai/Gafgyt variants and RondoDox.
Security researcher Rakesh Krishnan has also discovered an open directory hosted on "154.61.77[.]105:8082" that includes a proof-of-concept (PoC) exploit script for CVE-2025–55182 along with two other files - "domains.txt," which contains a list of 35,423 domains and "next_target.txt," which contains a list of 596 URLs, including companies like Dia Browser, Starbucks, Porsche, and Lululemon.
It has been assessed that the unidentified threat actor is actively scanning the internet based on targets added to the second file, infecting hundreds of pages in the process. According to the latest data from The Shadowserver Foundation, there are more than 137,200 internet-exposed IP addresses running vulnerable code as of December 11, 2025. Of these, over 88,900 instances are located in the U.S., followed by Germany (10,900), France (5,500), and India (3,600).
The React2Shell vulnerability is a stark reminder of the importance of maintaining up-to-date software and patches, particularly for organizations that rely on web frameworks such as React and Next.js. It also highlights the need for a proactive approach to cybersecurity, including regular vulnerability scanning, monitoring, and incident response.
As the situation continues to unfold, it is essential for organizations and individuals to stay informed about the latest developments and take steps to protect themselves from potential exploitation. The recent emergence of the React2Shell vulnerability serves as a wake-up call, emphasizing the need for collective vigilance in the face of emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Global-Cybersecurity-Alert-React2Shell-Vulnerability-Exploitation-on-a-Large-Scale-ehn.shtml
https://thehackernews.com/2025/12/react2shell-exploitation-escalates-into.html
https://cybernews.com/security/react2shell-nodejs-critical-vulnerability-smart-home/
Published: Fri Dec 12 03:19:43 2025 by llama3.2 3B Q4_K_M
