Just hours after the public disclosure of CVE-2025-55182, dubbed React2Shell, multiple China-nexus threat actors began actively exploiting the critical remote code execution vulnerability affecting React Server Components and Next.js applications.
AWS confirmed that state-sponsored groups, including Earth Lamia and Jackpot Panda, are targeting internet-facing deployments, taking advantage of the flaw's unauthenticated attack vector and widespread presence in cloud environments.
Discovered by independent researcher Lachlan Davidson and reported to Meta on November 29, 2025, CVE-2025-55182 stems from unsafe deserialization logic in React's “Flight” protocol. Despite a coordinated response leading to patches released by December 1, exploitation began within hours of public disclosure on December 3. Amazon's threat intelligence teams, leveraging data from their MadPot honeypot infrastructure, have since observed a sustained wave of exploitation attempts by advanced persistent threat (APT) groups and unattributed actors operating from Chinese infrastructure.
The exploit mechanism abuses React's $@ deserialization syntax to forge internal objects, ultimately coercing the system into evaluating attacker-controlled JavaScript via the Function constructor. A verified working proof-of-concept (PoC) published by GitHub user maple3142 demonstrates full RCE on a default Next.js 16.0.6 deployment using a single crafted HTTP POST request.
AWS reports that multiple China-linked APTs have operationalized the vulnerability with impressive speed and precision. Earth Lamia, known for targeting logistics, finance, and government entities across Latin America and Southeast Asia, and Jackpot Panda, focused on East and Southeast Asian sectors, are among the actors observed.
Much of the observed activity originates from shared anonymization infrastructure, a hallmark of Chinese cyber operations that complicates attribution. The threat landscape is further cluttered by less sophisticated actors using flawed public PoCs, resulting in high volumes of noisy and often ineffective exploitation attempts.
Nonetheless, AWS has documented several actors conducting detailed reconnaissance and live debugging. One cluster, associated with IP 183[.]6.80.214, was seen making over 100 exploit attempts in under an hour, attempting file writes (/tmp/pwned.txt), reading system files (/etc/passwd), and executing commands (whoami, id), a clear indication of human-operated exploitation.
Organizations running React or Next.js outside of AWS-managed services must upgrade react-server-dom-* to version 19.0.1, 19.1.2, or 19.2.1 and Next.js to 16.0.7.
As fully working exploits are now public and exploitation is ongoing, this vulnerability represents a critical risk to unpatched systems. The window for safe remediation is rapidly closing, and organizations must prioritize updates and monitoring efforts to avoid getting hacked.
Leave a Reply