惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

SecWiki News
SecWiki News
量子位
The Cloudflare Blog
美团技术团队
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
Spread Privacy
Spread Privacy
P
Proofpoint News Feed
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 三生石上(FineUI控件)
T
Tor Project blog
博客园 - 司徒正美
宝玉的分享
宝玉的分享
T
Threatpost
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Secure Thoughts
T
Threat Research - Cisco Blogs
Hacker News: Ask HN
Hacker News: Ask HN
Jina AI
Jina AI
博客园 - 聂微东
A
Arctic Wolf
I
Intezer
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
爱范儿
爱范儿
Hugging Face - Blog
Hugging Face - Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
小众软件
小众软件
T
Tailwind CSS Blog
The Hacker News
The Hacker News
L
LINUX DO - 最新话题
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
S
SegmentFault 最新的问题
TaoSecurity Blog
TaoSecurity Blog
Project Zero
Project Zero
博客园 - 叶小钗
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Cloudbric
Cloudbric
雷峰网
雷峰网
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
大猫的无限游戏
大猫的无限游戏
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Troy Hunt's Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
V2EX - 技术
V2EX - 技术
The GitHub Blog
The GitHub Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy & Cybersecurity Law Blog

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI The Money Mule Solution: What Every Scam Has in Common From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET The $0 Transaction That Signaled a Nation-State Cyberattack China’s Zero-Day Pipeline: From Discovery to Deployment Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection The Bug That Won't Die: 10 Years of the Same Mistake The Hidden Cascade: Why Law Firm Breaches Destroy More than Data Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media AI Malware: Hype vs. Reality
Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors
2025-12-08 · via Recorded Future

Last updated on 9 December.

A critical vulnerability in React Server Components is allegedly being actively exploited by multiple Chinese threat actors, Recorded Future recommends organizations patch their systems immediately.

What's Happening

CVE-2025-55182, dubbed "React2Shell," affects React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0 in several Meta packages. Amazon's AWS Threat Intelligence team reported on December 4 that Chinese threat groups including Earth Lamia, Jackpot Panda, and several untracked clusters are actively exploiting this vulnerability. However, AWS has not provided any further evidence for these attributions beyond IP addresses allegedly used by these threat groups. At this stage, Insikt Group cannot exclude the possibility that the same threat group might still be using the IP address 206[.]237[.]3[.]150, but we are currently unable to verify AWS’s attribution to Earth Lamia.

The vulnerability stems from unsafe payload deserialization at React Server Function endpoints. When successfully exploited, attackers can execute arbitrary code through crafted HTTP requests, potentially leading to complete backend compromise.

CVE-2025-55182 (React2Shell) Intelligence Card®

The Scale of the Problem

According to Wiz Security's analysis, approximately 39% of scanned cloud environments contain vulnerable React instances. More concerning, their research shows that exploitation attempts have a near 100% success rate.

Beyond React Server Components, the vulnerability affects popular frameworks and libraries that bundle react-server, including:

  • Next.js
  • React Router
  • Waku
  • Redwood SDK
  • RSC plugins for Parcel and Vite

Timeline of Events

The situation unfolded rapidly:

  • December 3, 2025: React Team disclosed the vulnerability and released patches
  • December 3, 2025: Recorded Future authored a signature to detect CVE-2025-55182 via attack surface scans
  • December 3, 10 PM UTC: Datadog researchers identified 80 threat actor-linked IP addresses scanning for the vulnerability
  • December 4, 2025: Amazon reported active exploitation by Chinese threat groups

Who's Behind the Attacks

According to Recorded Future's Insikt Group, IP address 143[.]198[.]92[.]82 is highly likely an exit node for the Chinese relay network HiddenOrbit (RedRelay). HiddenOrbit is a relay network used by multiple Chinese state-sponsored threat activity groups to obfuscate malicious activity and hinder attribution and tracking efforts.

Proof-of-Concept Exploits Available

Multiple proof-of-concept (PoC) exploits have been published demonstrating how to exploit CVE-2025-55182. The most credible comes from researcher Lachlan Davidson, who initially discovered and disclosed the vulnerability.

Davidson's PoC works by:

  1. Crafting an HTTP POST request with a JSON payload embedded as "multipart/form-data"
  2. Mimicking Server Action calls with specific headers
  3. Sending the request to Next.js or Waku RSC endpoints
  4. Triggering automatic deserialization that executes the malicious payload

While numerous additional PoCs have emerged since disclosure, both Davidson and AWS Security caution that many are of questionable quality and rely on unrealistic victim configurations in most React-based environments.

What You Need to Do Now

Organizations using React must act immediately:

1. Identify Vulnerable Assets

Determine whether your publicly accessible React-based applications are vulnerable using Assetnote's react2shell-scanner. You can also check locally by running:

npm run audit

If vulnerable, you should see a critical severity warning about Next.js RCE vulnerability.

Get the Insikt Group® Nuclei template. Download our YAML file. The template safely checks if an RSC/Next.js application is vulnerable to CVE-2025-55182 by sending a crafted Server Actions-style POST request that mimics an RSC multipart form upload. It generates random request IDs, sets RSC/Next.js-specific headers, and sends a minimal payload designed to hit the deserialization path without executing arbitrary code.

2. Apply Patches Immediately

The React Team released patches for all affected versions:

  • Version 19.0.1 (for 19.0)
  • Version 19.1.2 (for 19.1.0 and 19.1.1)
  • Version 19.2.1 (for 19.2.0)

Both React and Next.js have published detailed mitigation guidelines.

3. Block Malicious IP Addresses

Consider blocklisting the IP addresses identified in exploitation attempts:

  • 143[.]198[.]92[.]82 (HiddenOrbit node), Insikt Group confirmed attribution to this China anonymization network
  • 206[.]237[.]3[.]150 (suspected Earth Lamia but unconfirmed)
  • 45[.]77[.]33[.]136 (suspected Jackpot Panda)
  • 183[.]6[.]80[.]214 (unattributed)

Why This Matters

The combination of factors makes this vulnerability particularly dangerous:

  • Likely exploitation by state-sponsored threat groups
  • High success rate (near 100%)
  • Widespread vulnerable deployments (39% of scanned environments)
  • Multiple publicly available PoC exploits
  • Recent disclosure means many systems remain unpatched

Recorded Future Recommendations

Developers implementing React in their tech stacks are strongly advised to determine whether publicly accessible assets using React frameworks are currently vulnerable to CVE-2025-55182. The best way to currently scan for vulnerable assets is by using Assetnote’s react2shell-scanner; however, the tool is associated with false positives, so patching is necessary in instances where vulnerability is disputed. DataDog Security Labs also notes that the vulnerability can be identified locally by running the command “npm run audit,” which should respond with the following message if your current local version of React is vulnerable:

$ npm audit report

next  16.0.0-canary.0 - 16.0.6
Severity: critical
Next.js is vulnerable to RCE in React flight protocol - https://github.com/advisories/GHSA-9qr9-h5gf-34mp

Due to the responsible disclosure of CVE-2025-55182, a patch for all affected versions of React is available. Both React and Next.js have published mitigation guidelines to follow, which can be found here:

Given the severity and active exploitation, patching vulnerable React deployments should be treated as an urgent priority. The window between vulnerability disclosure and widespread exploitation continues to shrink, and threat actors are moving quickly to capitalize on unpatched systems.

Additionally, customers should consider deny-listing the IP addresses disclosed by AWS as involved in React2Shell exploitation.

Learn how to stay ahead of emerging threats. Understand all of the critical vulnerabilities that may be affecting your organization. Speak to our threat intelligence experts today.