A critical vulnerability affecting the popular open source JavaScript library React is under attack — by none other by Chinese nation-state threat actors.
CVE-2025-55182, which was disclosed Wednesday, is an unauthenticated remote code execution (RCE) vulnerability that impacts the React Server Components (RCS) protocol versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of three packages (react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack) and is caused by unsafe deserialization. Because of the severity of the bug, the ubiquity of React, and that it can cause pre-authentication RCE, it received a CVSS score of 10 — the highest severity possible.
Security researchers have referred to the vulnerability as “React2Shell,” a reference to the devastating Log4Shell vulnerability in the Log4j framework that was disclosed in 2021 and came under widespread exploitation.
A second, related CVE with a maximum-severity score, tracked as CVE-2025-66478, covers downstream impact of the RCS vulnerability on the Next.js framework.
Patches for CVE-2025-55182 are available now for React versions 19.0.1, 19.1.2, and 19.2.1, and affected customers are urged to apply the relevant patch as soon as possible. For downstream impacts, mitigations are also generally available. Next.js maintainer Vercel, for example, has published guidance for CVE-2025-66478 and released patches for affected versions of the framework.
The security community acted quickly, with a wide range of maintainers and vendors working to contain the threat as soon as it became public. That said, while it was unclear at first whether React2Shell was under attack, that is, unfortunately, no longer the case.
China-Nexus Actors Targets React2Shell
In a a blog post on Thursday, Amazon chief information security officer (CISO) CJ Moses warned that within hours of CVE-2025-55182’s public disclosure on Dec. 3, “Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.”
Though Moses conceded it’s difficult to make per-attack attributions due to China’s large-scale anonymization networks, he added that “the majority of observed autonomous system numbers (ASNs) for unattributed activity are associated with Chinese infrastructure, further confirming that most exploitation activity originates from that region.”
Furthermore, he wrote that threat actors are using automated scanning tools and proof-of-concept (PoC) exploits — many of which are non-functional — to target vulnerable organizations. In these cases, however, threat actors are targeting more than the vulnerability of the moment.
“These groups aren’t limiting their activities to CVE-2025-55182. Amazon threat intelligence teams observed them simultaneously exploiting other recent N-day vulnerabilities, including CVE-2025-1338,” he wrote. “This demonstrates a systematic approach: threat actors monitor for new vulnerability disclosures, rapidly integrate public exploits into their scanning infrastructure, and conduct broad campaigns across multiple Common Vulnerabilities and Exposures (CVEs) simultaneously to maximize their chances of finding vulnerable targets.”
The Continuing Fallout of React2Shell
Although Chinese-nexus attackers may be among the first to target React2Shell, that does not mean they will be the only ones, as we’re still in the early days of this threat. The fallout extends further than external attacks, too. Cloudflare suffered a brief outage Friday due to its mitigation efforts for React2Shell, which included the deployment of web application firewall (WAF) rules to protect customers from exploitation attempts.
In a Rapid7 blog post, the security firm said it validated a working PoC exploit for the vulnerability that was published by a security researcher. Other PoCs are also publicly available, though it’s unclear how many of them lead to successful exploitation of CVE-2025-55182.
As the blog post put it, although broad exploitation may not yet have begun, that is likely to change once working exploits become available. As such, any organization that is or suspects it may be vulnerable to CVE-2025-55182 or CVE-2025-66478 should act now.
