React2Shell and related RSC vulnerabilities threat brief: early exploitation activity and threat actor techniques

On December 3, 2025, the React Team disclosed a critical vulnerability, CVE-2025-55182, known as React2Shell, which affects servers using the React Server Components Flight protocol by allowing remote code execution through unsafe deserialization. This vulnerability quickly attracted exploitation attempts, especially from Asia-linked threat groups, using various tools for scanning and reconnaissance. In addition to React2Shell, two other related vulnerabilities, CVE-2025-55183 and CVE-2025-55184, were disclosed, both concerning React Server Component implementations. Cloudflare responded by deploying new Web Application Firewall (WAF) rules to protect against these vulnerabilities, but emphasized the importance of patching affected systems as the most reliable defense. The initial wave of exploitation involved systematic probing and leveraging public vulnerability intelligence and scanning tools, with a focus on high-value targets and strategic regions. Cloudflare's mitigation efforts included continuous monitoring and rule updates to adapt to evolving exploit tactics, highlighting the persistent threat posed by these vulnerabilities.