























Last updated on 9 December.
A critical vulnerability in React Server Components is allegedly being actively exploited by multiple Chinese threat actors, Recorded Future recommends organizations patch their systems immediately.
CVE-2025-55182, dubbed "React2Shell," affects React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0 in several Meta packages. Amazon's AWS Threat Intelligence team reported on December 4 that Chinese threat groups including Earth Lamia, Jackpot Panda, and several untracked clusters are actively exploiting this vulnerability. However, AWS has not provided any further evidence for these attributions beyond IP addresses allegedly used by these threat groups. At this stage, Insikt Group cannot exclude the possibility that the same threat group might still be using the IP address 206[.]237[.]3[.]150, but we are currently unable to verify AWS’s attribution to Earth Lamia.
The vulnerability stems from unsafe payload deserialization at React Server Function endpoints. When successfully exploited, attackers can execute arbitrary code through crafted HTTP requests, potentially leading to complete backend compromise.
CVE-2025-55182 (React2Shell) Intelligence Card®
According to Wiz Security's analysis, approximately 39% of scanned cloud environments contain vulnerable React instances. More concerning, their research shows that exploitation attempts have a near 100% success rate.
Beyond React Server Components, the vulnerability affects popular frameworks and libraries that bundle react-server, including:
The situation unfolded rapidly:
According to Recorded Future's Insikt Group, IP address 143[.]198[.]92[.]82 is highly likely an exit node for the Chinese relay network HiddenOrbit (RedRelay). HiddenOrbit is a relay network used by multiple Chinese state-sponsored threat activity groups to obfuscate malicious activity and hinder attribution and tracking efforts.
Multiple proof-of-concept (PoC) exploits have been published demonstrating how to exploit CVE-2025-55182. The most credible comes from researcher Lachlan Davidson, who initially discovered and disclosed the vulnerability.
Davidson's PoC works by:
While numerous additional PoCs have emerged since disclosure, both Davidson and AWS Security caution that many are of questionable quality and rely on unrealistic victim configurations in most React-based environments.
Organizations using React must act immediately:
Determine whether your publicly accessible React-based applications are vulnerable using Assetnote's react2shell-scanner. You can also check locally by running:
npm run audit
If vulnerable, you should see a critical severity warning about Next.js RCE vulnerability.
Get the Insikt Group® Nuclei template. Download our YAML file. The template safely checks if an RSC/Next.js application is vulnerable to CVE-2025-55182 by sending a crafted Server Actions-style POST request that mimics an RSC multipart form upload. It generates random request IDs, sets RSC/Next.js-specific headers, and sends a minimal payload designed to hit the deserialization path without executing arbitrary code.
The React Team released patches for all affected versions:
Both React and Next.js have published detailed mitigation guidelines.
Consider blocklisting the IP addresses identified in exploitation attempts:
The combination of factors makes this vulnerability particularly dangerous:
Developers implementing React in their tech stacks are strongly advised to determine whether publicly accessible assets using React frameworks are currently vulnerable to CVE-2025-55182. The best way to currently scan for vulnerable assets is by using Assetnote’s react2shell-scanner; however, the tool is associated with false positives, so patching is necessary in instances where vulnerability is disputed. DataDog Security Labs also notes that the vulnerability can be identified locally by running the command “npm run audit,” which should respond with the following message if your current local version of React is vulnerable:
$ npm audit report
next 16.0.0-canary.0 - 16.0.6
Severity: critical
Next.js is vulnerable to RCE in React flight protocol - https://github.com/advisories/GHSA-9qr9-h5gf-34mp
Due to the responsible disclosure of CVE-2025-55182, a patch for all affected versions of React is available. Both React and Next.js have published mitigation guidelines to follow, which can be found here:
Given the severity and active exploitation, patching vulnerable React deployments should be treated as an urgent priority. The window between vulnerability disclosure and widespread exploitation continues to shrink, and threat actors are moving quickly to capitalize on unpatched systems.
Additionally, customers should consider deny-listing the IP addresses disclosed by AWS as involved in React2Shell exploitation.
Learn how to stay ahead of emerging threats. Understand all of the critical vulnerabilities that may be affecting your organization. Speak to our threat intelligence experts today.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。