Critical React2Shell flaw actively exploited in China-linked attacks

Recorded: Dec. 5, 2025, 9:13 p.m.

Original

News

Featured
Latest

Critical React, Next.js flaw lets hackers execute code on servers

North Korea lures engineers to rent identities in fake IT worker scheme

CISA warns of Chinese "BrickStorm" malware attacks on VMware servers

Marquis data breach impacts over 74 US banks, credit unions

Barts Health NHS discloses data breach after Oracle zero-day hack

FBI warns of virtual kidnapping scams using altered social media photos

A Practical Guide to Continuous Attack Surface Visibility

EU fines X $140 million over deceptive blue checkmarks

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityCritical React2Shell flaw actively exploited in China-linked attacks

Critical React2Shell flaw actively exploited in China-linked attacks

By Bill Toulas

December 5, 2025
06:26 AM
1

Multiple China-linked threat actors began exploiting the React2Shell vulnerability (CVE-2025-55182) affecting React and Next.js just hours after the max-severity issue was disclosed.
React2Shell is an insecure deserialization vulnerability in the React Server Components (RSC) 'Flight' protocol. Exploiting it does not require authentication and allows remote execution of JavaScript code in the server's context.
For the Next.js framework, there is the identifier CVE-2025-66478, but the tracking number was rejected in the National Vulnerability Database's CVE list as a duplicate of CVE-2025-55182.
The security issue is easy to leverage, and several proof-of-concept (PoC) exploits have already been published, increasing the risk of related threat activity.
The vulnerability spans several versions of the widely used library, potentially exposing thousands of dependent projects. Wiz researchers say that 39% of the cloud environments they can observe are susceptible to React2Shell attacks.
React and Next.js have released security updates, but the issue is trivially exploitable without authentication and in the default configuration.
React2Shell attacks underway
A report from Amazon Web Services (AWS) warns that the Earth Lamia and Jackpot Panda threat actors linked to China started to exploit React2Shell almost immediately after the public disclosure.
"Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda," reads the AWS report.
AWS's honeypots also caught activity not attributed to any known clusters, but which still originates from China-based infrastructure.
Many of the attacking clusters share the same anonymization infrastructure, which further complicates individualized tracking and specific attribution.
Regarding the two identified threat groups, Earth Lamia focuses on exploiting web application vulnerabilities.
Typical targets include entities in the financial services, logistics, retail, IT companies, universities, and government sectors across Latin America, the Middle East, and Southeast Asia.
Jackpot Panda targets are usually located in East and Southeast Asia, and its attacks are aimed at collecting intelligence on corruption and domestic security.
PoCs now available
Lachlan Davidson, the researcher who discovered and reported React2Shell, warned about fake exploits circulating online. However, exploits confirmed as valid by Rapid7 researcher Stephen Fewer and Elastic Security's Joe Desimone have appeared on GitHub.
The attacks that AWS observed leverage a mix of public exploits, including broken ones, along with iterative manual testing and real-time troubleshooting against targeted environments.
The observed activity includes repeated attempts with different payloads, Linux command execution (whoami, id), attempts to create files (/tmp/pwned.txt), and attempts to read '/etc/passwd/.'
"This behavior demonstrates that threat actors aren't just running automated scans, but are actively debugging and refining their exploitation techniques against live targets," comment AWS researchers.
Attack surface management (ASM) platform Assetnote has released a React2Shell scanner on GitHub that can be used to determine if an environment is vulnerable to React2Shell.

Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Get the guide

Related Articles:
Critical React, Next.js flaw lets hackers execute code on serversSharepoint ToolShell attacks targeted orgs across four continentsNearly 50,000 Cisco firewalls vulnerable to actively exploited flawsOver 28,000 Citrix devices vulnerable to new exploited RCE flawHackers exploiting zero-day in Gladinet file sharing software

Actively Exploited
China
Next.js
RCE
React2Shell
ReactJS
Remote Code Execution
Vulnerability

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Comments

abides - 6 hours ago

I think it should be mentioned that Vercel and Netlify mitigated this vector before it was announced. Not sure the % of next.js sites hosted outside of these platforms or if other platforms also performed mitigation.

Popular Stories

ChatGPT is down worldwide, conversations disappeared for users

Cloudflare down, websites offline with 500 Internal Server Error

Marquis data breach impacts over 74 US banks, credit unions

Sponsor Posts

What you’re overlooking to protect your business

Overdue a password health-check? Audit your Active Directory for free

AI is a data-breach time bomb: Read the new report

Hackers love the holidays! Share FREE Security Awareness Training to keep family & friends cyber-safe!

Empowering IT teams with intelligence driven cyber threat research.

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Critical React2Shell Flaw Actively Exploited in China-Linked Attacks

The December 5, 2025, BleepingComputer report details an immediate and concerning exploitation of the React2Shell vulnerability, affecting React and Next.js frameworks. This vulnerability, CVE-2025-55182, presents a significant risk due to its ease of exploitation and the potential for remote code execution (RCE) within server contexts, requiring no authentication. The issue was discovered and reported by Lachlan Davidson, prompting rapid response from security researchers including Stephen Fewer and Joe Desimone.

The core of the threat lies in the “Flight” protocol used in React Server Components (RSC), a flaw that allows unauthorized code execution. Multiple, China-linked threat actors, including Earth Lamia and Jackpot Panda, swiftly began utilizing publicly available proof-of-concept (PoC) exploits almost immediately following the vulnerability’s disclosure. These groups demonstrate aggressive exploitation techniques, characterized by iterative testing, manual debugging, and the execution of commands like ‘whoami’ and ‘id,’ alongside attempts to create files and read sensitive system information. This behavior underscores a sophisticated, real-time approach to attack refinement.

AWS observed diverse attack patterns, noting shared anonymization infrastructure amongst the threat groups, complicating attribution efforts. Earth Lamia primarily focuses on web application vulnerabilities, targeting sectors including financial services, logistics, retail, IT, universities, and government entities across Latin America, the Middle East, and Southeast Asia. Conversely, Jackpot Panda’s targets are concentrated in East and Southeast Asia, with a focus on gathering intelligence related to corruption and domestic security.

The rapid response has led to immediate mitigation efforts, including action taken by Vercel and Netlify, highlighting a degree of preparedness within the Next.js ecosystem. Further, the Assetnote platform released a React2Shell scanner on GitHub to assist in identifying vulnerable environments. Researchers are actively tracking the evolving attack strategies, highlighting the importance of proactive security measures and continuous monitoring in response to emerging threats. This incident emphasizes the urgency of patching vulnerabilities and implementing robust attack surface visibility strategies to prevent similar exploitation.