TL;DR
Critical React Server Components vulnerability (CVE-2025-55182) hit CVSS 10.0; threat actors scanned 3.5M targets/hour within hours of disclosure.
Key Points
- 582.10M exploitation attempts detected Dec 3-11, averaging 3.49M hits/hour with peak of 12.72M/hour
- Unsafe deserialization in RSC Flight protocol allows unauthenticated RCE via single HTTP request
- Asian-nexus threat actors targeted Taiwan, Xinjiang, Vietnam, Japan; prioritized .gov sites, password managers, SSL VPN appliances
- Two additional RSC vulnerabilities disclosed: CVE-2025-55183 (source code leakage) and CVE-2025-55184 (DoS via cyclic promises)
Why It Matters
This represents a critical attack surface for any React Server Components deployment exposed to the internet. The speed of exploitation (within hours) and scale (16K+ unique IPs, 6K+ user-agents) demonstrates how rapidly zero-days are weaponized. Organizations running vulnerable RSC versions face immediate RCE risk with no authentication barrier.
Source: blog.cloudflare.com