A newly identified vulnerability dubbed React2Shell, which was only made public on Thursday, is already being exploited by Chinese hackers intent on capitalizing on the cloud-side flaw as quickly as possible.
The critical vulnerability, also tracked as CVE-2025-55182, was first reported to React maintainer Meta on November 29th by researcher Lachlan Davidson and patched on December 3rd when it was then made public.
As previously reported, the bug enables external attackers to run privileged, arbitrary code on servers without any authorization.
Within hours of the public disclosure of React2Shell, AWS security teams say that they have observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.
What is React2Shell?
According to Davidson, who set up a dedicated site to deal with the issue, the vulnerability affects the server-side of React, a popular open-source library for building modern web applications. On December 5th the researcher shared his PoCs relating to CVE-2025-55182 so that the community could learn from the flaw.
Data from Cloud security firm Wiz shows that almost 40% of cloud environments contain instances of React or Next.js that may be vulnerable to this newly identified CVE.
The fact that React2Shell has been given the maximum Common Vulnerability Scoring System (CVSS) score of 10 highlights the critical nature of the issue.
Upon learning about the vulnerability, Next.js creator Vercel informed AWS, Microsoft, Cloudflare, and others to enable coordinated patching and protection deployment prior to the public disclosure of the vulnerability.
On X Vercel’s CEO later praised the united response across the Cloud ecosystem.
“Desperate” threat actors jump on PoC exploits
However, the disclosure has prompted threat actors to jump on the exploit within hours of the public disclosure.
Because of shared anonymization infrastructure among Chinese threat groups, AWS says it’s hard to make a definitive attribution, but it believes two of those involved include Earth Lamia, a China-nexus cyber threat actor known for exploiting web application vulnerabilities, and Jackpot Panda, which targets online gambling operations in Southeast Asia.
“Threat actors are using both automated scanning tools and individual PoC exploits,” AWS added.
AWS confirmed that some threat actors are attempting to use fake PoCs, which don’t work in real-world scenarios, indicating that they are desperately trying to exploit the vulnerability as quickly as possible (this was reported before Davidson released his own PoCs).
What concerned AWS was the way the threat actors systematically troubleshooted their exploitation attempts to get them to work.
“This behavior demonstrates that threat actors aren’t just running automated scans, but are actively debugging and refining their exploitation techniques against live targets,” AWS said.
Companies that use React 19.0, 19.1.0, 19.1.1, and 19.2.0 are advised to update to the latest remediated version on an urgent basis. Downstream frameworks that depend on React are also affected, including (but not exclusive to) Next.js, Waku and React Router.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked