React2Shell Vulnerability: Maximum-Severity Flaw in React Server Components Actively Exploited by China-Backed Groups 

A new maximum-severity flaw (with a CVSS score of 10.0) in React Server Components (RSC), dubbed React2shell, causes a stir in the cyber threat landscape, hot on the heels of the recent exploitation of two high-severity Android Framework vulnerabilities (CVE-2025-48633 and CVE-2025-48572). Defenders have observed that multiple Chinese nation-backed groups exploit the React2Shell vulnerability, which enables RCE, putting vulnerable deployments at significant risk. 

For years, China has conducted offensive cyber operations targeting U.S. and international organizations across various sectors, often leveraging nation-state-linked APT groups such as Mustang Panda or APT41 to collect intelligence and sensitive data. 

For a half-decade, China’s nation-backed cyber operations have increasingly emphasized stealth and operational security, creating a more complex and challenging threat landscape for organizations across industries, including the public sector, as well as for the global cybersecurity community. China-linked APT groups remain the fastest and most active state-sponsored actors, often weaponizing new exploits almost immediately after disclosure. The CrowdStrike 2025 Global Threat Report indicates that China-linked threat actors increased state-sponsored cyber operations by 150%.

Register for the SOC Prime Platform, the AI-Native Detection Intelligence Platform for SOC teams to help your organization preempt emerging threats of any sophistication, advanced APT attacks, and evolving vulnerability exploitation campaigns. Click Explore Detections to access a comprehensive collection of SOC content for vulnerability exploitation, smartly filtered by a custom “CVE” tag.

Explore Detections

All detections can be applied across diverse SIEM, EDR, and Data Lake systems and are mapped to the MITRE ATT&CK® framework. They are also enriched with AI-native detection intelligence and actionable metadata, including CTI references, attack timelines, audit configuration, triage recommendations for a streamlined threat research and CTI analysis, helping teams boost operational efficiency.

Security teams can also rely on Uncoder AI to accelerate detection engineering workflows end-to-end and take advantage of automated IOC conversion into custom hunting queries, automated detection logic generation directly from threat reports, Attack Flow visualization, ATT&CK tags prediction, and AI-assisted content across multiple language formats—all within a single solution. 

React2Shell Vulnerability Analysis

Defenders recently uncovered a novel maximum-severity vulnerability in React Server Components tracked as CVE-2025-55182, aka React2Shell, which affects React 19.x and Next.js 15.x/16.x with App Router. This pre-authentication RCE flaw was responsibly reported to Meta by Lachlan Davidson, with React and Vercel jointly issuing patches on December 3, 2025. Public PoC exploits surfaced roughly 30 hours after disclosure, followed shortly by the researcher’s own PoCs. 

React2Shell arises from unsafe deserialization of payloads sent via HTTP requests to Server Function endpoints. This logical deserialization flaw in processing RSC payloads allows an unauthenticated attacker to send a crafted HTTP request to any Server Function endpoint, which React then deserializes, enabling execution of arbitrary JavaScript code on the server.

Amazon threat intel teams report that China-linked state-sponsored collectives, both established and previously unknown clusters, including Earth Lamia and Jackpot Panda, are already attempting to weaponize the flaw, which enables unauthenticated RCE through unsafe handling of RSC payloads. 

Adversaries are leveraging both automated scanners and manually executed PoCs, with some tools using evasion tactics like randomized user agents. Their activity extends well beyond CVE‑2025‑55182, with Amazon’s monitoring showing the same Chinese clusters exploiting other recent vulnerabilities, such as CVE‑2025‑1338. This underscores a systematic model, in which adversaries track new disclosures, immediately fold public exploits into their tooling, and launch broad campaigns across multiple CVEs at once to maximize target reach.

Notably, many adversaries rely on publicly posted PoCs that do not function in real deployments. The GitHub community has flagged numerous examples that misinterpret the vulnerability, including demos that improperly register dangerous modules or remain exploitable even after patching. Yet attackers continue to use them, highlighting clear behavioral trends, like rapid adoption over validation, high‑volume scanning, low barriers to entry due to public exploit availability, and log noise that can obscure more targeted attacks.

AWS MadPot telemetry confirms that adversaries are persistently iterating on their exploitation attempts. The unattributed cluster (IP 183[.]6.80.214) spent nearly an hour on December 4 repeatedly testing payloads, issuing 100+ requests over 52 minutes, running Linux commands, attempting file writes to /tmp/pwned.txt, and trying to read /etc/passwd. This demonstrates that attackers are not simply firing off automated scans but are actively debugging and refining techniques against live systems.

Notably, the threat also impacts Next.js applications using App Router. Originally assigned CVE‑2025‑66478 with a CVSS score of 10.0, it has since been marked by the NIST NVD as a duplicate of the React2Shell vulnerability.

Wiz reported that 39% of cloud environments have systems susceptible to CVE‑2025‑55182 and CVE‑2025‑66478. Although AWS services are not impacted, given the critical nature of both vulnerabilities, users are strongly urged to apply patches immediately to ensure maximum protection.

Organizations running React or Next.js on EC2, in containers, or in other self-managed environments should apply updates without delay. To minimize risks from React2Shell exploitation, immediately update affected React and Next.js applications following the AWS Security Bulletin for patched versions. As an interim measure, defenders are recommended to deploy the custom AWS WAF rule provided in the bulletin to block exploit attempts. 

Meanwhile, Cloudflare announced that it has implemented a new protection in its cloud-based WAF as a potential React2Shell mitigation step. According to the company, all customers, both free and paid, are safeguarded, provided their React application traffic is routed through Cloudflare’s proxy.

As the number of vulnerabilities actively exploited continues to rise, forward-looking organizations are prioritizing proactive cyber defenses to ensure strong and resilient security postures. SOC Prime’s AI-Native Detection Intelligence Platform helps organizations elevate their cyber defenses at scale by empowering AI technologies and top cybersecurity expertise while maximizing resource effectiveness.