ACCORDING to Cloudflare, the React2Shell vulnerability (CVE-2025-55182) was disclosed on 3 December 2025 and prompted immediate monitoring as soon as the public details emerged. Early activity showed rapid exploitation attempts and scanning from infrastructure linked to Asia-affiliated threat groups, with actors using standard vulnerability scanners and asset-discovery platforms to find exposed RSC deployments.
Between 3 December 2025 and 11 December 2025, the company observed 582.10 million hits aimed at exploit-related WAF rules, averaging 3.49 million hits per hour, with a peak hour reaching 12.72 million; the average hourly unique IP count was 3,598, peaking at 16,585. The activity also included a focus on metadata such as icon hashes and SSL certificate details to refine target lists, and a variety of User-Agent strings indicating diverse probing tools.
Cloudflare noted two additional RSC vulnerabilities, CVE-2025-55183 and CVE-2025-55184, related to server function leakage and DoS respectively, for which its protections are also deployed.