A remote code execution (RCE) vulnerability in the React JavaScript library, which earlier today caused disruption across the internet as Cloudflare pushed mitigations live on its network, is now being exploited by multiple threat actors at scale, according to reports.
Maintained by Meta, React is an open source resource designed to enable developers to build user interfaces (UIs) for both native and web applications.
The vulnerability in question, assigned CVE-2025-55182 and dubbed React2Shell by the cyber community, is a critically-scored pre-authentication RCE flaw in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of React Server Components that exploits a flaw in how they decode payloads sent to React Function Endpoints.
This means that by crafting a malicious HTTP request to a Server Function endpoint, this means a threat actor could gain the ability to run arbitrary code on the target server.
It was added to the US’ Cybersecurity and Infrastructure Security Agency’s (CISA’s) catalogue on Friday 5 December, and according to Amazon Web Services (AWS) CISO and vice president of security engineering, C.J. Moses, the chief culprits behind the rapid exploitation are thought to be China-nexus threat actors.
Moses cautioned that China’s habit of running shared, large-scale anonymisation infrastructure for multiple state-backed threat actors made definitive attribution challenging, however, following disclosure on Wednesday 3 December, groups tracked as Earth Lamia and Jackpot Panda were observed taking advantage of React2Shell.
“China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalising public exploits within hours or days of disclosure,” he wrote.
“Through monitoring in our AWS MadPot honeypot infrastructure, Amazon threat intelligence teams have identified both known groups and previously untracked threat clusters attempting to exploit CVE-2025-55182.”
Earth Lamia is well-known for exploiting web application vulnerabilities against organisations primarily located in Latin America, the Middle East, and Southeast Asia, with a particular focus on educational institutions, financial services organisations, government bodies, IT companies, logistics firms, and retailers.
Jackpot Panda, according to AWS, targets its activity at entities in East and Southeast Asia, with its operations aligning to China’s goals relating to corruption and domestic security.
Massive attack
With reports suggesting that there may be over 950,000 servers running vulnerable frameworks such as React and Next.js, Radware threat researchers warned of a massive potential attack surface.
React and Next.js are both well-used thanks to their efficiency and flexibility, while robust ecosystems make them a default choice for many developers – and as such they are found under the bonnet everywhere, from mobile apps and consumer-facing websites to enterprise-grade platforms, said Radware.
“This widespread reliance means a single critical flaw can have cascading consequences for a significant portion of modern web infrastructure,” the Radware team said. “A substantial number of applications across public and private clouds are immediately exploitable, necessitating urgent and widespread action.”
Michael Bell, founder and CEO of Suzu Labs, a penetration testing and AI security specialist, said that hours from disclosure to active exploitation by nation-state actors was the new normal, and matters would likely get worse.
“China-nexus groups have industrializsd their vulnerability response: they monitor disclosures, grab public PoCs – even broken ones – and spray them at scale before most organisations have finished reading the advisory,” he said.
“AWS’s report showing attackers debugging exploits in real-time against honeypots demonstrates this isn’t automated scanning; it’s hands-on-keyboard operators racing to establish persistence before patches roll out.
“With AI tools increasingly capable of parsing vulnerability disclosures and generating exploit code, expect the window between disclosure and weaponization to shrink from hours to minutes,” said Bell.
He added that the earlier Cloudflare outage in service of an emergency patch “tells you everything about the severity calculus here”.
