Ethical Hacking News
A recent vulnerability known as CVE-2025-55182, also referred to as the React2Shell flaw, has been exploited by multiple China-linked threat actors within hours of its disclosure. The pre-authentication remote code execution vulnerability exists in various versions of React Server Components, which have been addressed through subsequent updates. Organizations running React or Next.js applications must take immediate action and update their software to minimize the risk of exploitation.
Security experts have identified a new vulnerability known as CVE-2025-55182 (React2Shell flaw) in React Server Components. The vulnerability allows for pre-authentication remote code execution due to unsafely deserializing data from HTTP requests. Multiple China-linked threat actors, including Earth Lamia and Jackpot Panda, have exploited the vulnerability within hours of its disclosure. The threat actors use automated scanners and public PoC exploits, and failed attempts create significant log noise that may mask more sophisticated attacks. Organizations must update their React or Next.js applications immediately to minimize the risk of exploitation.
Security experts have recently sounded the alarm regarding a new vulnerability known as CVE-2025-55182, also referred to as the React2Shell flaw. This pre-authentication remote code execution vulnerability exists in various versions of React Server Components, including 19.0.0, 19.1.0, 19.1.1, and 19.2.0, which are bundled with specific packages such as react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.
The vulnerability is caused by the unsafely deserializing data from HTTP requests to Server Function endpoints in these React Server Components versions. According to researchers Lachlan Davidson, who initially reported the security vulnerability on November 29th, this unsafe payload decoding allows unauthenticated code execution, potentially exposing applications using React Server Components even without Server Function endpoints.
However, it is essential to note that subsequent updates, including versions 19.0.1, 19.1.2, and 19.2.1, have addressed the flaw. Nevertheless, multiple China-linked threat actors began exploiting this vulnerability within hours of its disclosure by AWS Security. The company warns that this vulnerability does not affect AWS services but has opted to share threat intelligence data with customers running React or Next.js applications in their own environments.
The threat actors observed by AWS Security were from groups Earth Lamia and Jackpot Panda, which are well-known for exploiting web application flaws across the Latin American region (LATAM), the Middle East, and Southeast Asia. These organizations focus on targeting organizations through large shared anonymization networks that mask attacker identity, making precise attribution difficult.
These networks are a defining characteristic of Chinese cyber operations, allowing reconnaissance, exploitation, and command-and-control activities while obscuring attribution. The groups' use of automated scanners and public PoC exploits to target the React2Shell vulnerability and other N-days like CVE-2025-1338 reflects their focus on speed, volume, and low entry barriers.
The report also highlights that failed attempts at exploiting these vulnerabilities create significant log noise, potentially masking more sophisticated attacks. In one notable instance, a threat cluster associated with an IP address 183[.]6.80.214 spent nearly an hour troubleshooting exploitation attempts against live targets. This behavior indicates that the threat actors are not only running automated scans but actively debugging and refining their techniques.
The rapid weaponization of public PoCs by these threat actors underscores the urgency for organizations to take immediate action and update their React or Next.js applications. As the security landscape continues to evolve, it is crucial for companies to stay informed about newly disclosed vulnerabilities and implement necessary patches in a timely manner to minimize the risk of exploitation.
In light of this recent vulnerability, it highlights the importance of staying vigilant against emerging threats and adhering to regular software updates. Furthermore, as the threat actors' use of large shared anonymization networks is well-documented, organizations must be aware of these tactics and implement measures to mitigate their impact on security posture.
By understanding the dynamics behind this China-linked attack vector, we can better prepare ourselves for future potential vulnerabilities and stay ahead in our efforts to secure our digital infrastructure.
Related Information:
https://www.ethicalhackingnews.com/articles/AWS-React2Shell-Vulnerability-A-China-Linked-Threat-Actors-Frenzy-ehn.shtml
https://securityaffairs.com/185436/security/aws-china-linked-threat-actors-weaponized-react2shell-hours-after-disclosure.html
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.cvedetails.com/cve/CVE-2025-55182/
https://nvd.nist.gov/vuln/detail/CVE-2025-1338
https://www.cvedetails.com/cve/CVE-2025-1338/
https://fortiguard.fortinet.com/outbreak-alert/earth-lamia-apt-attack
https://www.securityweek.com/chinese-hacking-group-earth-lamia-targets-multiple-industries/
Published: Mon Dec 8 07:50:51 2025 by llama3.2 3B Q4_K_M
