The React2Shell vulnerability that has emerged also poses a major threat to the cybersecurity landscape. In fact, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added React2Shell to its Known Exploited Vulnerabilities catalog. This administrative action highlights the need to address this issue promptly. This vulnerability hits many of the frameworks that we’ve learned to love such as React Server Components (RSC) and Next.js. It represents an existential threat to our federal government agencies and corporate America.
By CISA’s requirements, federal agencies must implement required patches by December 26, 2025. In its announcement, the agency underscores the severe importance of fixing the vulnerability right away in order to lessen chances of exploitation. React2Shell falls under the technical definition of a “systemic cyber risk aggregation event.” Similar to the actual Log4Shell vulnerability that was found in December 2021, it has the potential to cause widespread harmful impact.
Details of React2Shell Vulnerability
React2Shell makes a valuable contribution to the evolution of RSC Flight protocol. This bug has received the highest CVSS score of 10.0 emphasizing its critical severity level. Cloudforce One, a climate threat intelligence team within Cloudflare, was the first to discover and report on the vulnerability. They observed threat actors exploiting React2Shell in multiple campaigns to perform reconnaissance and deploy malware.
According to the research by Cloudflare, it only takes one specially crafted HTTP request to execute the exploit. There is no demand for user interaction or accomplishment of authentication, rendering it especially hazardous.
“A single, specially crafted HTTP request is sufficient; there is no authentication requirement, user interaction, or elevated permissions involved.” – Cloudforce One, Cloudflare’s threat intelligence team
This pattern affects all applications that use React. It’s done a great job of impacting hundreds of pages and important high sensitivity tech targets. Daily exploitation attempts reported by Kaspersky exceeded 35,000 attempts in one day on December 10, 2025.
Rapid Exploitation and Targeting
As the vulnerability spread, various threat actors engaged in a “rapid wave of opportunistic exploitation,” focusing on internet-facing Next.js applications and containerized workloads. As Wiz has seen, organizations with these vulnerabilities are at high risk simply because they are easy to exploit.
Additionally, supply chain threat actors have targeted edge-facing SSL VPN appliances that use React-based components in their GUIs. Some of this reconnaissance work has apparently gone out of its way to avoid looking up things from Chinese IP address spaces. This indicates a purposeful targeting of en route goals.
The diversity of malware delivered via React2Shell exploits adds yet another layer to the chaos. With various threat actors exploiting the vulnerability at the same time, the possible ramifications for organizations can be severe.
Call to Action for Agencies
CISA’s recommendations for federal agencies to implement patches for React2Shell by December 12, 2025 are a dire call to action. This is the agency’s just released directive that should make sure that every one of those government entities—large or small—are protected against this very serious threat. As the deadline swiftly approaches, infrastructure agencies need to make these updates a priority to ensure they’re able to most effectively secure their systems.
Given the scope of the React2Shell vulnerability, a collective and urgent response is required from every corner. Organizations should take immediate actions to assess their systems and patch them as quickly as possible.