CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

React2Shell vulnerability exploited by China-linked threat actors

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Multiple China-linked threat actors, including Earth Lamia and Jackpot Panda, have begun exploiting the critical React2Shell vulnerability (CVE-2025-55182) in React and Next.js. This insecure deserialization flaw allows unauthenticated remote execution of JavaScript code in the server's context. The vulnerability affects multiple versions of the widely used libraries, potentially exposing thousands of dependent projects. AWS reports active exploitation attempts within hours of the public disclosure, with attackers using a mix of public exploits and manual testing to refine their techniques.

Timeline

  1. 05.12.2025 13:26 1 articles · 23h ago

    China-linked threat actors exploit React2Shell vulnerability within hours of disclosure

    Multiple China-linked threat actors, including Earth Lamia and Jackpot Panda, began exploiting the React2Shell vulnerability (CVE-2025-55182) within hours of its public disclosure on December 3, 2025. The attacks involve a mix of public exploits, manual testing, and real-time troubleshooting against targeted environments. Observed activities include repeated attempts with different payloads, Linux command execution, and attempts to create and read files.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical React Server Components (RSC) Bugs Enable Unauthenticated Remote Code Execution

A critical security vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components (RSC) allows unauthenticated remote code execution due to unsafe deserialization of payloads. The flaw affects multiple versions of React and Next.js, potentially impacting any application using RSC. The issue has been patched, but 39% of cloud environments remain vulnerable. Cloudflare experienced a widespread outage due to an emergency patch for this vulnerability, and multiple China-linked hacking groups have begun exploiting it. NHS England National CSOC has warned of the likelihood of continued exploitation in the wild. Major companies such as Google Cloud, AWS, and Cloudflare immediately responded to the vulnerability. The security researcher Lachlan Davidson disclosed the vulnerability on November 29, 2025, to the Meta team. The flaw has been dubbed React2Shell, a nod to the Log4Shell vulnerability discovered in 2021. The US National Vulnerability Database (NVD) rejected CVE-2025-66478 as a duplicate of CVE-2025-55182. Exploitation success rate is reported to be nearly 100% in default configurations. React servers that use React Server Function endpoints are known to be vulnerable. The Next.js web application is also vulnerable in its default configuration. At the time of writing, it is unknown if active exploitation has occurred, but there have been some reports of observed exploitation activity as of December 5, 2026. OX Security warned that the flaw is now actively exploitable on December 5, around 10am GMT. Hacker maple3142 published a working PoC, and OX Security successfully verified it. JFrog identified fake proof-of-concepts (PoC) on GitHub, warning security teams to verify sources before testing. Cloudflare started investigating issues on December 5 at 08:56 UTC, and a fix was rolled out within half an hour, but by that time outages had been reported by several major internet services, including Zoom, LinkedIn, Coinbase, DoorDash, and Canva.

Open in new tab