React2Shell Alert: Nation-State Attackers Weaponized CVE-2025-55182 Within Hours of Disclosure

A critical vulnerability in one of the world’s most widely deployed JavaScript libraries is under active exploitation by Chinese state-sponsored threat groups. If your organization runs React or Next.js applications, this is a drop-everything moment.

The Severity Cannot Be Overstated

On December 3, 2025, Meta and Vercel publicly disclosed CVE-2025-55182—a maximum-severity (CVSS 10.0) remote code execution vulnerability affecting React Server Components. Security researcher Lachlan Davidson discovered and responsibly reported this flaw through Meta’s Bug Bounty program on November 29, 2025.

Within hours of public disclosure, Amazon’s threat intelligence teams observed active exploitation attempts from multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.

This isn’t a theoretical risk. This is happening now.

Why React2Shell Demands Your Immediate Attention

React is one of the most extensively adopted JavaScript libraries in existence. According to NPM Trends data, the React core package receives over 20 million downloads every week. The library powers more than 11 million websites globally, with roughly 6.2% of the top 10,000 highest-trafficked sites running React-based applications.

Here’s what makes CVE-2025-55182 particularly dangerous:

Default configurations are vulnerable. A standard Next.js application created with create-next-app and built for production can be exploited without any code modifications by the developer. There is no misconfiguration required—the vulnerability exists in the default state.

No authentication required. Attackers can achieve remote code execution by sending a single crafted HTTP request. There is no need for valid credentials, session tokens, or any form of access.

Applications are vulnerable even without explicitly using server functions. According to the React security advisory, if your application supports React Server Components, it is potentially exploitable—even if you never directly implemented server functions.

The Technical Reality

The vulnerability exists in how React Server Components deserialize data through the “Flight” protocol. When servers process specially crafted requests, they fail to properly validate the payload structure, allowing attacker-controlled data to influence server-side execution logic. This is an unsafe deserialization vulnerability at its core.

The flaw is present in React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 across the following packages:

• react-server
• react-server-dom-parcel
• react-server-dom-webpack
• react-server-dom-turbopack
• react-server-dom-vite

Downstream frameworks and bundlers affected include Next.js (versions 15.x and 16.x with App Router), React Router, Waku, RedwoodJS, and Parcel/Vite RSC plugins.

Active Exploitation by Nation-State Actors

According to CJ Moses, CISO of Amazon Integrated Security, AWS MadPot honeypot infrastructure detected exploitation attempts within hours of the December 3rd disclosure:

“China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalizing public exploits within hours or days of disclosure.”

The identified threat actors include:

Earth Lamia — A China-nexus group known for targeting organizations across financial services, logistics, retail, IT companies, universities, and government sectors in Latin America, the Middle East, and Southeast Asia.

Jackpot Panda — A China-nexus actor primarily focused on East and Southeast Asian entities, with activity aligned to domestic security and corruption-related collection priorities.

AWS researchers observed attackers systematically debugging their exploitation techniques in real-time. In one documented case, a threat cluster spent nearly an hour executing 116 requests across 52 minutes—attempting Linux commands (whoami, id), writing test files to /tmp/pwned.txt, and attempting to read /etc/passwd. These are not automated scans. These are hands-on-keyboard attacks actively refining techniques against live targets.

What You Must Do Now

1. Patch Immediately

The React team has released fixed versions: 19.0.1, 19.1.2, and 19.2.1. Update all affected packages today—not next sprint, not next week.

For Next.js users: If you are running canary versions 14.3.0-canary.77 or later, downgrade immediately to the latest stable 14.x release, then apply available patches.

2. Deploy WAF Rules as Interim Protection

Both AWS and Google Cloud have published WAF rules specifically designed to detect and block CVE-2025-55182 exploitation attempts. If patching takes time in your environment, deploy these rules immediately as a temporary mitigation layer.

AWS WAF users should ensure AWSManagedRulesKnownBadInputsRuleSet version 1.24 or higher is active.

3. Audit Your Full Application Inventory

This vulnerability affects applications that may use React Server Components indirectly through dependencies. Do not assume you’re safe because you didn’t explicitly implement server functions. Audit every React-based application in your environment.

4. Hunt for Indicators of Compromise

Review your logs for:

• POST requests containing next-action or rsc-action-id headers
• Request bodies containing $@ patterns or “status”:”resolved_model” patterns
• Unexpected process execution on application servers (whoami, id, uname)
• Suspicious file writes to /tmp/ directories
• New processes spawned by Node.js/React application processes
  

How ArmorCode Helps You Respond

ArmorCode’s platform is engineered for exactly this scenario—when a critical vulnerability emerges and you need immediate visibility across your entire application security posture.

Immediate Exposure Assessment: ArmorCode correlates vulnerability data with your software bill of materials to instantly identify whether affected React packages exist anywhere in your environment. No manual scanning required.

Custom Saved Searches: Create and save queries to filter findings by CVE-2025-55182 or the affected package names across all your connected scanners and asset inventories, making them instantly accessible for ongoing monitoring.

Software Supply Chain Visibility: Our centralized dashboard provides a comprehensive view of all software components, enabling rapid identification of compromised packages and accurate exposure assessment across your entire portfolio.

Automated Response with Runbooks: Configure runbooks to automatically update finding severity, trigger notifications to stakeholders, or initiate remediation workflows the moment CVE-2025-55182 is detected in your environment.

Ask Anya: Our agentic AI assistant delivers immediate, contextual risk analysis. Ask natural language questions like “Am I affected by CVE-2025-55182?” or “Show me all applications with React 19.1.0 dependencies” and receive instant, actionable answers.

This Is (Unfortunately) Not a Drill

CVE-2025-55182 represents one of the most severe vulnerabilities to emerge in the JavaScript ecosystem. The combination of maximum CVSS severity, trivial exploitability, default-vulnerable configurations, and immediate weaponization by nation-state actors creates an emergency situation.

The Singapore Cyber Security Agency has issued an official alert. Google Cloud has published emergency guidance. AWS has deployed automated protections across their infrastructure while explicitly warning customers that these protections are not substitutes for patching.

Patch today, and hunt for any compromises. Ensure your security monitoring can detect exploitation attempts going forward.

Sources:

• React Team Security Advisory (December 3, 2025)
• AWS Security Blog: China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (December 4, 2025)
• Google Cloud Blog: Responding to CVE-2025-55182 (December 3, 2025)
• Vercel Changelog: Summary of CVE-2025-55182
• CyberScoop: Developers scramble as critical React flaw threatens major apps (December 4, 2025)
• BleepingComputer: React2Shell critical flaw actively exploited in China-linked attacks (December 5, 2025)
• SecurityWeek: Chinese Hackers Exploiting React2Shell Vulnerability (December 5, 2025)
• The Hacker News: Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability (December 5, 2025)
• Cyber Security Agency of Singapore Alert (December 4, 2025)