Overview
- Security telemetry from Wiz indicates roughly 50 percent of known internet‑exposed React/Next.js assets remain unpatched as attacks expand across at least 15 intrusion clusters.
- React released additional updates for RSC to address DoS and source‑code exposure flaws (CVE‑2025‑55184, CVE‑2025‑67779, CVE‑2025‑55183) and warned that interim versions must be updated again to 19.0.3, 19.1.4, or 19.2.3.
- Vendors report varied attacker activity, from cryptominers to hands‑on‑keyboard operations, with Palo Alto Networks linking some campaigns to North Korean and Chinese groups and noting use of tools like BPFDoor and Sliver.
- Exposure and weaponization remain high, with Shadowserver counting about 137,200 vulnerable IPs, Kaspersky logging 35,000 daily attempts, and a publicly accessible directory hosting a PoC and large target lists.
- The RCE flaw (CVE‑2025‑55182) stems from unsafe deserialization in React Server Components and affects downstream frameworks such as Next.js, Waku, Vite/Parcel plugins, React Router, and Redwood, requiring framework‑specific updates and redeploys.