""A single, specially crafted HTTP request is sufficient; there is no authentication requirement, user interaction, or elevated permissions involved," Cloudforce One, Cloudflare's threat intelligence team, said. "Once successful, the attacker can execute arbitrary, privileged JavaScript on the affected server." Since its public disclosure on December 3, 2025, the shortcoming has been exploited by multiple threat actors in various campaigns to engage in reconnaissance efforts and deliver a wide range of malware families."
"The development prompted CISA to add it to its Known Exploited Vulnerabilities catalog last Friday, giving federal agencies until December 26 to apply the fixes. The deadline has since been revised to December 12, 2025, an indication of the severity of the incident. Cloud security company Wiz said it has observed a "rapid wave of opportunistic exploitation" of the flaw, with a vast majority of the attacks targeting internet-facing Next.js applications and other containerized workloads running in Kubernetes and managed cloud services."
CISA urged federal agencies to patch the React2Shell vulnerability by December 12, 2025. The critical flaw CVE-2025-55182 (CVSS 10.0) affects the React Server Components (RSC) Flight protocol and originates from unsafe deserialization that permits attackers to inject malicious logic executed in a privileged server context. The vulnerability also impacts frameworks including Next.js, Waku, Vite, React Router, and RedwoodSDK. A single specially crafted HTTP request can trigger arbitrary privileged JavaScript execution without authentication. Exploitation began after public disclosure on December 3, 2025, with threat actors conducting reconnaissance and delivering diverse malware. CISA added the flaw to its Known Exploited Vulnerabilities catalog and set an expedited remediation deadline.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]