Multiple China-linked threat actors began exploiting the React2Shell vulnerability (CVE-2025-55182) affecting React and Next.js just hours after the max-severity issue was disclosed.

React2Shell is an insecure deserialization vulnerability in the React Server Components (RSC) 'Flight' protocol. Exploiting it does not require authentication and allows remote execution of JavaScript code in the server's context.

For the Next.js framework, there is the identifier CVE-2025-66478, but the tracking number was rejected in the National Vulnerability Database's CVE list as a duplicate of CVE-2025-55182.

The security issue is easy to leverage, and several proof-of-concept (PoC) exploits have already been published, increasing the risk of related threat activity.

The vulnerability spans several versions of the widely used library, potentially exposing thousands of dependent projects. Wiz researchers say that 39% of the cloud environments they can observe are susceptible to React2Shell attacks.

React and Next.js have released security updates, but the issue is trivially exploitable without authentication and in the default configuration.

React2Shell attacks underway

A report from Amazon Web Services (AWS) warns that the Earth Lamia and Jackpot Panda threat actors linked to China started to exploit React2Shell almost immediately after the public disclosure.

"Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda," reads the AWS report.

AWS's honeypots also caught activity not attributed to any known clusters, but which still originates from China-based infrastructure.

Many of the attacking clusters share the same anonymization infrastructure, which further complicates individualized tracking and specific attribution.

Regarding the two identified threat groups, Earth Lamia focuses on exploiting web application vulnerabilities.

Typical targets include entities in the financial services, logistics, retail, IT companies, universities, and government sectors across Latin America, the Middle East, and Southeast Asia.

Jackpot Panda targets are usually located in East and Southeast Asia, and its attacks are aimed at collecting intelligence on corruption and domestic security.

PoCs now available

Lachlan Davidson, the researcher who discovered and reported React2Shell, warned about fake exploits circulating online. However, exploits confirmed as valid by Rapid7 researcher Stephen Fewer and Elastic Security's Joe Desimone have appeared on GitHub.

The attacks that AWS observed leverage a mix of public exploits, including broken ones, along with iterative manual testing and real-time troubleshooting against targeted environments.

The observed activity includes repeated attempts with different payloads, Linux command execution (whoami, id), attempts to create files (/tmp/pwned.txt), and attempts to read '/etc/passwd/.'

"This behavior demonstrates that threat actors aren't just running automated scans, but are actively debugging and refining their exploitation techniques against live targets," comment AWS researchers.

Attack surface management (ASM) platform Assetnote has released a React2Shell scanner on GitHub that can be used to determine if an environment is vulnerable to  React2Shell.