Home – Blog Post
On December 3, 2025, the React development community faced its worst security crisis in years. A critical vulnerability dubbed “React2Shell”—assigned CVE-2025-55182 and carrying the maximum possible severity score of 10.0—was disclosed, affecting React Server Components and cascading into the widely-used Next.js framework. Within hours, multiple Chinese state-sponsored threat groups began active exploitation. The speed and sophistication of these attacks highlight a sobering reality: when critical vulnerabilities in ubiquitous technologies become public, the window to patch has compressed from days to mere hours.
CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability affecting React Server Components. Discovered by security researcher Lachlan Davidson and responsibly disclosed to Meta’s React team on November 29, 2025, the flaw stems from unsafe deserialization in React’s Server Components implementation, specifically in how the “Flight” protocol handles incoming data.
The vulnerability exists in React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, affecting three key packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Applications using React Server Components are vulnerable even if they don’t explicitly implement React Server Functions endpoints—simply supporting React Server Components is enough to be at risk.
The technical mechanism involves a logical deserialization vulnerability where the server processes React Server Component payloads in an unsafe manner. When receiving a specially crafted, malformed payload, the server fails to validate the structure correctly, allowing attacker-controlled data to influence server-side execution logic. The exploit abuses React’s internal deserialization syntax to forge objects, ultimately coercing the system into evaluating attacker-controlled JavaScript code via the Function constructor.
Security researchers at Wiz constructed a fully working proof-of-concept with near 100% reliability, demonstrating that exploitation requires only a crafted HTTP request with no authentication needed. What makes this particularly dangerous is that the vulnerability exists in default configurations—a standard Next.js application created with create-next-app and built for production can be exploited with zero code changes by the developer.
The potential impact of React2Shell is staggering. According to the 2024 State of JavaScript developer survey, React was used by 82% of respondents. The Shadowserver Foundation identified more than 77,000 servers with React Server Components exposed to the internet, while a separate Censys scan found over 293,000 potentially vulnerable instances. Palo Alto Networks’ internal telemetry alone identified over 968,000 React and Next.js instances.
React is deployed on an estimated 6% of all websites globally, meaning millions of people interact with React-powered applications daily. The framework’s popularity stems from its efficiency—it allows servers to re-render only the parts of a web page that have changed, speeding up load times and reducing resource consumption. This widespread adoption means that a single critical flaw can have cascading consequences across a significant portion of modern web infrastructure.
Beyond the public-facing applications, React Server Components handle the heavy lifting and secret keeping for countless websites and dashboards. They build the main content of product pages and news articles, communicate with databases to retrieve private information, and process user credentials—all server-side operations that now become potential entry points for attackers with React2Shell exploitation capabilities.
The speed at which nation-state actors operationalized this vulnerability represents a watershed moment in offensive cyber capabilities. Within hours of the public disclosure on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.
Earth Lamia is a well-documented Chinese cyber threat actor known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle East, and Southeast Asia. The group has historically focused on financial services, logistics, retail, IT companies, universities, and government organizations. Their rapid pivot to React2Shell exploitation demonstrates the sophisticated monitoring and weaponization capabilities maintained by advanced persistent threat groups.
Jackpot Panda, another China-nexus actor, primarily targets entities in East and Southeast Asia, with operations aligning to collection priorities relating to domestic security and corruption concerns. Amazon’s analysis of exploitation attempts from their MadPot honeypot infrastructure revealed activity from IP addresses and infrastructure historically linked to these known groups, though definitive attribution remains challenging due to the shared anonymization infrastructure commonly used among Chinese threat actors.
Palo Alto Networks Unit 42 researchers also observed exploitation activity they assess with high confidence is consistent with UNC5174, a Chinese state-sponsored threat actor suspected to have ties to the Chinese Ministry of State Security. The group is believed to operate as an initial access broker, suggesting that successful React2Shell compromises may be sold or transferred to other threat actors for follow-on operations.
The observed exploitation attempts reveal both the sophistication and the challenges facing threat actors. Amazon researchers documented threat actors using both automated scanning tools with capabilities like user agent randomization to evade detection, as well as individual proof-of-concept exploits. Notably, many attackers were attempting to use publicly available PoC code that doesn’t actually work in real-world scenarios.
One particularly revealing example involved an unattributed threat cluster that systematically troubleshot exploitation attempts for nearly an hour, making 116 requests across 52 minutes while trying multiple different payloads, executing Linux commands like whoami and id, attempting to write files such as /tmp/pwned.txt, and reading system files including /etc/passwd. This behavior demonstrates that threat actors aren’t just running automated scans, but are actively debugging and refining their exploitation techniques against live targets.
The attacks Amazon observed leverage a mix of public exploits—including broken ones—along with iterative manual testing and real-time troubleshooting against targeted environments. GreyNoise Intelligence recorded 181 distinct IP addresses attempting to exploit the flaw over a 24-hour period on December 5-6, with scanning activity primarily originating from the Netherlands, China, the United States, and Hong Kong. The automated nature of much of this traffic suggests attackers have integrated React2Shell detection and exploitation into their existing scanning infrastructure.
Perhaps most concerning, these threat groups aren’t limiting their activities to CVE-2025-55182 alone. Amazon threat intelligence teams observed them simultaneously exploiting other recent vulnerabilities, including CVE-2025-1338, demonstrating a systematic approach where threat actors monitor for new vulnerability disclosures, rapidly integrate public exploits into their scanning infrastructure, and conduct broad campaigns across multiple CVEs simultaneously to maximize their chances of finding vulnerable targets.
By December 6, Palo Alto Networks reported that more than 30 organizations had already been compromised through the React2Shell flaw. Attackers exploited the vulnerability to run commands, conduct reconnaissance, attempt to steal AWS configuration and credential files, and establish persistent access to compromised systems. These intrusions include compromises linked to known state-associated Chinese threat actors, underscoring the strategic value adversaries see in this vulnerability.
The types of attacks being conducted include reconnaissance operations to understand the compromised environment, credential theft targeting cloud provider access keys and tokens, data exfiltration of sensitive application data and configuration files, and attempts to establish persistence mechanisms for long-term access. Justin Moore from Palo Alto Networks Unit 42 characterized React2Shell as a “master key exploit, succeeding not by crashing the system, but by abusing its trust in incoming data structures.”
The exploitation success rate has been remarkably high for attackers using functional proof-of-concept code. Multiple security researchers confirmed that exploitation is straightforward, including against basic blank applications created by the scaffolding tool create-next-app using default templates. This means that even newly created, minimally configured applications are immediately vulnerable if built with affected React versions.
Meta and Vercel (the company behind Next.js) coordinated their response prior to public disclosure. Patches were released on December 1, 2025, ahead of the public announcement on December 3. The fix was introduced in React versions 19.0.1, 19.1.2, and 19.2.1. For Next.js users, updating to version 16.0.7 addresses the vulnerability in that framework. Organizations were urged to upgrade to these fixed versions immediately, outside of normal patch cycles.
Major cloud providers moved quickly to protect their customers. AWS deployed multiple layers of protection including their Sonaris threat intelligence system, which automatically detected and restricted malicious scanning attempts, and updated AWS WAF managed rules (version 1.24 or higher) with protections against CVE-2025-55182. Cloudflare deployed Web Application Firewall rules to protect customers, though the urgency of the deployment briefly caused a service outage on December 6 as the company rushed mitigations into production.
Notably, some hosting platforms had already implemented protections before the vulnerability was publicly disclosed. Vercel and Netlify, two popular platforms for hosting Next.js applications, implemented mitigations ahead of the announcement, protecting a significant portion of the Next.js ecosystem. These day-zero protections were runtime-level rather than just WAF rules, meaning many customers with theoretically vulnerable versions were protected even before patching.
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-55182 to its Known Exploited Vulnerabilities catalog on December 6, mandating that federal agencies patch affected systems according to their remediation timelines. Multiple security vendors including Rapid7, Tenable, Datadog, and others released detection capabilities and indicators of compromise to help organizations identify vulnerable systems and detect exploitation attempts.
While Amazon, Palo Alto Networks, and other security firms have linked exploitation activity to known Chinese threat groups, definitive attribution remains challenging. China operates large-scale anonymization infrastructure that multiple state-backed threat actors share, making it difficult to attribute specific attacks to individual groups with high confidence. The majority of observed autonomous system numbers associated with unattributed activity are linked to Chinese infrastructure, confirming that most exploitation originates from that region, but precise actor identification proves elusive.
This shared infrastructure is a hallmark of Chinese cyber operations and serves multiple strategic purposes. It provides operational security for individual threat groups, complicates Western intelligence attribution efforts, and creates plausible deniability for state sponsors. The infrastructure enables multiple threat groups to conduct reconnaissance, exploitation, and command-and-control activities while obscuring individual attribution and making it harder for defenders to understand specific threat actor capabilities and priorities.
React2Shell represents more than just another vulnerability—it’s a case study in how quickly the threat landscape has evolved. The compression of the vulnerability window from days to hours reflects several converging trends. Nation-state actors maintain sophisticated vulnerability monitoring and weaponization capabilities, public proof-of-concept code accelerates the exploitation timeline, and artificial intelligence tools are increasingly capable of parsing vulnerability disclosures and generating exploit code.
Some security experts predict that AI will further shrink the window between disclosure and weaponization from hours to minutes. As one researcher noted, “With AI tools increasingly capable of parsing vulnerability disclosures and generating exploit code, expect the window between disclosure and weaponization to shrink from hours to minutes.” This creates an impossible situation for many organizations, where even highly responsive security teams cannot patch faster than AI-assisted adversaries can weaponize vulnerabilities.
The React2Shell incident also highlights the security challenges inherent in the modern JavaScript ecosystem. The blurring line between front-end and back-end development, the deep dependency trees characteristic of npm-based applications, and the rapid adoption of new patterns like Server Components all create attack surface that may not be well understood even by developers using these technologies. React Server Components were introduced to improve performance and user experience, but the security implications of executing server-side code based on client input were apparently not fully considered in the initial implementation.
The React2Shell crisis offers several critical lessons for technology organizations. First, the days of leisurely patch cycles are over for critical vulnerabilities in widely-used technologies. When a CVSS 10.0 vulnerability in something as ubiquitous as React becomes public, organizations have hours—not days or weeks—to respond before active exploitation begins. This requires pre-established emergency patching procedures that can be activated immediately when critical vulnerabilities are disclosed.
Second, dependency visibility is essential. Many organizations discovered they had React Server Components deployed in applications they weren’t actively monitoring or maintaining. Shadow IT, forgotten projects, and legacy applications all represent potential exposure. Maintaining comprehensive software bills of materials and having the ability to rapidly query which applications use specific dependencies is no longer optional—it’s a critical security capability.
Third, defense in depth remains essential. While patching is the ultimate solution, complementary controls including Web Application Firewalls, runtime application self-protection, network segmentation, and monitoring can provide crucial additional layers of defense. Several organizations were protected by hosting platform mitigations even before they could apply patches to their applications.
Fourth, the sophistication of nation-state adversaries requires corresponding sophistication in defense. The rapid weaponization of React2Shell by multiple Chinese APT groups, the systematic troubleshooting of exploitation techniques, and the multi-CVE campaigns all demonstrate adversaries with substantial resources, expertise, and determination. Organizations cannot rely on security through obscurity or hope that attackers won’t find them—they must assume that advanced adversaries are actively scanning for and exploiting vulnerabilities across their entire attack surface.
As of this writing, exploitation continues but the initial crisis has stabilized. Most major hosting platforms have implemented protections, patches are widely available, and security teams have had time to identify and remediate vulnerable systems. However, the long tail of exploitation will likely continue for months or even years as attackers find applications that were never patched, systems that aren’t actively maintained, and organizations that weren’t aware of their exposure.
The React team and Meta deserve credit for their coordinated disclosure and rapid response, but questions remain about how such a critical vulnerability existed in production code. The security research community has called for more thorough security review of React and similar foundational libraries, particularly around new features like Server Components that expand attack surface in non-obvious ways.
For the broader industry, React2Shell serves as a reminder that the security of modern applications rests on a complex foundation of open-source components, each potentially harboring critical vulnerabilities. The balance between innovation velocity and security rigor remains difficult to strike, particularly in ecosystems like JavaScript where rapid iteration and frequent updates are cultural norms.
The name “React2Shell,” deliberately echoing the devastating Log4Shell vulnerability from 2021, is apt. Both vulnerabilities affected ubiquitous Java and JavaScript libraries, both carried maximum severity scores, and both were rapidly exploited by sophisticated adversaries. The parallel suggests that we haven’t yet solved the fundamental challenges of securing widely-deployed software libraries, and that critical vulnerabilities in foundational technologies will continue to create crisis-level events requiring emergency responses from the entire technology industry.
For organizations running React or Next.js applications, the message is clear: patch immediately if you haven’t already, assume that vulnerable systems have been scanned and potentially compromised, and implement monitoring to detect potential exploitation. For the industry as a whole, React2Shell is another data point in the ongoing evolution of offensive cyber capabilities, where the advantage continues to shift toward sophisticated attackers who can weaponize vulnerabilities faster than defenders can respond.
References:
React Team: Critical Security Vulnerability in React Server Components
Wiz Security: React2Shell (CVE-2025-55182): Critical React Vulnerability
Amazon Web Services: China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
Rapid7: React2Shell, Critical unauthenticated RCE affecting React Server Components (CVE-2025-55182)
BleepingComputer: React2Shell flaw exploited to breach 30 orgs, 77k IP addresses vulnerable
Tenable: CVE-2025-55182: Frequently Asked Questions About React2Shell
Datadog Security Labs: CVE-2025-55182 (React2Shell): Remote code execution in React Server Components and Next.js
The Record: Chinese hackers exploiting React2Shell bug impacting countless websites, Amazon researchers say
Dark Reading: React2Shell Vulnerability Under Attack From China-Nexus Groups
Lachlan Davidson: React2Shell Official Site
Get monthly updates on emerging threats, best practices, and strategic security insights for your business.
Copyright 2025 © Cyrion.io
