December 16, 2025 U.S. cybersecurity officials have accelerated the patch deadline for the critical React2Shell vulnerability after confirming widespread, active exploitation across cloud environments. The flaw, which allows unauthenticated remote code execution in React and Next.js applications, is now being treated as an urgent national cybersecurity risk. Now, federal agencies are to patch the vulnerability by Dec. 12, 2025.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) moved the deadline up two weeks after adding the issue to its Known Exploited Vulnerabilities catalogue. The deadline to apply the patches was initially Dec. 26 The revised timeline reflects how quickly attackers have weaponized the flaw since its public disclosure on Dec. 3.
React2Shell affects the React Server Components “Flight” protocol and stems from unsafe deserialization of client-controlled data. Cloudflare’s Cloudforce One said exploitation requires only a single crafted HTTP request, with no authentication, user interaction or elevated permissions needed. Once triggered, attackers can execute arbitrary JavaScript code with full server privileges.
The vulnerability extends beyond React itself. Frameworks that rely on the same server component logic, including Next.js, Waku, Vite, React Router and RedwoodSDK, are also affected. Cloud security firm Wiz said it has observed a rapid wave of opportunistic attacks, largely targeting internet-facing Next.js applications running in Kubernetes clusters and managed cloud services.
Threat intelligence firms report extensive scanning activity as attackers search for exposed systems. Cloudflare said the highest concentration of probing has targeted networks in Taiwan, Vietnam, Japan and New Zealand, regions often associated with geopolitical intelligence collection. Some scanning activity explicitly excluded Chinese IP ranges. More selective activity has also targeted government websites, academic institutions and critical-infrastructure operators, including a national authority overseeing nuclear fuel imports and exports.
Kaspersky recorded more than 35,000 exploitation attempts in a single day on Dec. 10. Early-stage attacks often begin with simple reconnaissance commands before deploying payloads such as cryptocurrency miners, Mirai-based botnets, Cobalt Strike beacons and multiple backdoor frameworks.
Researchers have also identified public infrastructure supporting the attacks. An exposed server discovered by security researcher Rakesh Krishnan hosted exploit scripts alongside target lists containing tens of thousands of domains, suggesting automated, ongoing compromise efforts.
The scale of exposure remains significant. Shadowserver estimates more than 137,000 internet-exposed IP addresses were running vulnerable code as of December 11, with the largest concentrations in the United States, Germany, France and India.
Despite the surge in activity, exposure remains high. Coalition, a cyber insurance firm, has compared React2Shell to the 2021 Log4Shell incident, calling it a systemic risk event driven by a widely deployed framework and low-effort exploitation.
