China-Linked Attacks Actively Exploit Critical React2Shell Vulnerability
Threat actors associated with China have been aggressively exploiting a critical vulnerability known as React2Shell (CVE-2025-55182) shortly after its public disclosure. This vulnerability affects React and Next.js, specifically exploiting the React Server Components (RSC) ‘Flight’ protocol. Attackers can execute JavaScript code on the server without requiring any authentication.
Critical Vulnerability Details
React2Shell is categorized as an insecure deserialization vulnerability, which means that malicious users can manipulate object data that the application should not trust. The Next.js framework has a related identifier (CVE-2025-66478), though it was deemed a duplicate of CVE-2025-55182 by the National Vulnerability Database.
- Vulnerability Type: Insecure Deserialization
- Related Weapons: JavaScript code execution
- Authentication Requirement: None
Scope and Impact
The affected library spans numerous versions, potentially impacting thousands of projects. According to research by Wiz, 39% of cloud environments monitored are vulnerable to React2Shell attacks. This makes the exploitation of this vulnerability especially concerning.
Immediate Exploitation Post-Disclosure
On December 3, 2025, just hours after the React2Shell vulnerability was disclosed, Amazon Web Services (AWS) reported active exploitation attempts. Threat groups labeled Earth Lamia and Jackpot Panda, both linked to Chinese state activities, began their attempts almost immediately. AWS documented these activities via their honeypots, which detected additional unidentified exploitation attempts originating from China-based systems.
Identified Threat Groups
- Earth Lamia: Focuses on exploiting web application vulnerabilities, targeting sectors like financial services, logistics, and education, primarily in Latin America, the Middle East, and Southeast Asia.
- Jackpot Panda: Aims at intelligence collection related to corruption and domestic security, mainly focusing on East and Southeast Asia.
Exploitation Techniques Observed
Researchers have noted various techniques employed by the attackers. These include using a mix of valid public exploits alongside manual testing and real-time adjustments. Some observed activities consist of:
- Executing Linux commands (e.g., whoami, id)
- Creating files (e.g., /tmp/pwned.txt)
- Reading system files (e.g., /etc/passwd)
This behavior suggests that these actors are not merely performing automated scans but are actively refining their exploitation methods in real time against live environments.
Available Tools for Detection
To mitigate risks, the attack surface management platform Assetnote has introduced a React2Shell scanner available on GitHub. This tool can assist organizations in determining if their environments are vulnerable to the React2Shell exploit.
With the surge in exploitation of the React2Shell vulnerability, organizations need to act swiftly to secure their applications and prevent potential breaches. Continuous monitoring and timely application of security patches are essential in this evolving threat landscape.
