China-linked Threat Actors Weaponized React2Shell Hours After Disclosure
Summary:
Within hours of the React2Shell flaw (CVE-2025-55182) becoming public, China-linked threat actors began exploiting this pre-authentication Remote Code Execution (RCE) vulnerability. The flaw exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 across packages like react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.
The RCE is caused by unsafe deserialization of data from HTTP requests to Server Function endpoints without proper safety checks. AWS Security, while confirming their own services are not affected, shared this intelligence to help customers running vulnerable React or Next.js applications in their own environments.
Exploitation attempts observed in AWS honeypots are linked to known China state-nexus groups, specifically Earth Lamia and Jackpot Panda, which utilize large shared anonymization networks common in Chinese cyber operations, making precise attribution difficult.
Security Officer Comments:
Threat actors are demonstrating active debugging and refinement of exploitation techniques, not just running automated scans, and are quick to integrate public Proof-of-Concepts (PoCs) into broad, multi-CVE campaigns. The rapid weaponization and exploitation of the React2Shell flaw by sophisticated China-linked threat actors highlights a significant and persistent trend in the current threat landscape: the near-immediate integration of publicly disclosed vulnerabilities and PoCs into active attack campaigns.
The use of vast, shared anonymization networks is a key operational characteristic, effectively obscuring the specific threat group responsible for a given activity and demonstrating a high degree of coordination and resource sharing among these actors. Furthermore, the observed behavior of attackers actively troubleshooting and refining their exploit attempts, rather than just executing fire-and-forget scans, underscores a high level of commitment and targeting against vulnerable applications. Even flawed PoCs are being leveraged due to a focus on speed and volume, creating significant log noise that could potentially mask more complex or successful intrusions.
Suggested Corrections:
The immediate and critical mitigation for the CVE-2025-55182 vulnerability is to update all vulnerable installations of React Server Components to a patched version. The flaw has been addressed in versions 19.0.1, 19.1.2, and 19.2.1. Customers using React or Next.js applications with vulnerable React Server Components should implement these updates without delay.
Additionally, organizations should deploy network monitoring and logging solutions to detect and respond to suspicious activity, especially attempts at unauthenticated code execution or unusual traffic to Server Function endpoints. Given the observed threat actor behavior, proactive measures like input validation and strict deserialization checks should be enforced as a defense-in-depth strategy, and security teams must be vigilant for multi-CVE campaigns.
Link(s):
https://aws.amazon.com/blogs/securi...oit-react2shell-vulnerability-cve-2025-55182/
Within hours of the React2Shell flaw (CVE-2025-55182) becoming public, China-linked threat actors began exploiting this pre-authentication Remote Code Execution (RCE) vulnerability. The flaw exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 across packages like react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.
The RCE is caused by unsafe deserialization of data from HTTP requests to Server Function endpoints without proper safety checks. AWS Security, while confirming their own services are not affected, shared this intelligence to help customers running vulnerable React or Next.js applications in their own environments.
Exploitation attempts observed in AWS honeypots are linked to known China state-nexus groups, specifically Earth Lamia and Jackpot Panda, which utilize large shared anonymization networks common in Chinese cyber operations, making precise attribution difficult.
Security Officer Comments:
Threat actors are demonstrating active debugging and refinement of exploitation techniques, not just running automated scans, and are quick to integrate public Proof-of-Concepts (PoCs) into broad, multi-CVE campaigns. The rapid weaponization and exploitation of the React2Shell flaw by sophisticated China-linked threat actors highlights a significant and persistent trend in the current threat landscape: the near-immediate integration of publicly disclosed vulnerabilities and PoCs into active attack campaigns.
The use of vast, shared anonymization networks is a key operational characteristic, effectively obscuring the specific threat group responsible for a given activity and demonstrating a high degree of coordination and resource sharing among these actors. Furthermore, the observed behavior of attackers actively troubleshooting and refining their exploit attempts, rather than just executing fire-and-forget scans, underscores a high level of commitment and targeting against vulnerable applications. Even flawed PoCs are being leveraged due to a focus on speed and volume, creating significant log noise that could potentially mask more complex or successful intrusions.
Suggested Corrections:
The immediate and critical mitigation for the CVE-2025-55182 vulnerability is to update all vulnerable installations of React Server Components to a patched version. The flaw has been addressed in versions 19.0.1, 19.1.2, and 19.2.1. Customers using React or Next.js applications with vulnerable React Server Components should implement these updates without delay.
Additionally, organizations should deploy network monitoring and logging solutions to detect and respond to suspicious activity, especially attempts at unauthenticated code execution or unusual traffic to Server Function endpoints. Given the observed threat actor behavior, proactive measures like input validation and strict deserialization checks should be enforced as a defense-in-depth strategy, and security teams must be vigilant for multi-CVE campaigns.
Link(s):
https://aws.amazon.com/blogs/securi...oit-react2shell-vulnerability-cve-2025-55182/