React2Shell and related RSC vulnerabilities threat brief: early exploitation activity and threat actor techniques

On December 3, 2025 Cloudflare observed immediate, large-scale scanning and active exploitation attempts targeting a critical React Server Components RCE (CVE-2025-55182, "React2Shell") and two related RSC vulnerabilities (CVE-2025-55183, CVE-2025-55184); activity included use of Nuclei, custom React2Shell scanners, Burp Suite, and Internet-scale asset discovery to prioritize high-value targets. Cloudflare deployed Free and Paid WAF rules to block exploit traffic, published detections and rule IDs, and reported attribution and targeting patterns consistent with Asia-linked actors probing government, research, critical infrastructure, password managers, and edge VPN appliances.