React2Shell and the Race Against State Sponsored Attackers

On December 3, 2025, a critical vulnerability dubbed React2Shell was disclosed, affecting React Server Components with a maximum CVSS score of 10.0. Within hours, multiple China state nexus threat groups began actively exploiting it. If you’re running React 19.x or Next.js 15.x/16.x, you need to patch immediately.

Understanding the Vulnerability

React2Shell, tracked as CVE-2025-55182, is an unsafe deserialization vulnerability in React’s Flight protocol. This flaw allows unauthenticated attackers to execute arbitrary code on servers through specially crafted HTTP requests. Security researcher Lachlan Davidson discovered and responsibly disclosed this to Meta on November 29, 2025.

Here’s what makes this particularly dangerous. The vulnerability affects applications even if they don’t explicitly use React Server Functions. Simply supporting React Server Components is enough to be vulnerable. No authentication required, no special configuration needed. Just an HTTP request and attackers can execute code on your server.

The CVSS score of 10.0 tells you everything. Maximum severity. Network attack vector. No user interaction needed. Complete compromise possible.

What’s Actually Affected

React packages in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 are vulnerable. Specifically, these packages have the flaw:

• react-server-dom-parcel
• react-server-dom-webpack
• react-server-dom-turbopack

For Next.js users, all of version 15.x and 16.x are affected, along with canary releases starting from 14.3.0-canary.77. The good news is that Next.js 13.x, stable 14.x, Pages Router applications, and Edge Runtime are safe.

Other frameworks in the blast radius include React Router’s RSC preview, Waku, Parcel RSC, Vite’s RSC plugin, and RedwoodJS. Basically, if your framework implements or depends on React Server Components, you should assume you’re vulnerable until proven otherwise.

The Numbers Don’t Lie

Shadowserver found 77,664 vulnerable IP addresses. Wiz Research reports that 39% of cloud environments contain vulnerable instances. Censys identified over 2.15 million internet-facing services potentially at risk. According to the 2024 State of JavaScript survey, 82% of developers use React. The attack surface is massive.

How Fast This Escalated

The timeline is terrifying if you care about security response windows.

November 29: Davidson reports the vulnerability to React Team.

December 3: Public disclosure happens. Patches released.

December 3, just hours later: AWS honeypots detect active exploitation by China nexus groups.

December 4: First public proof of concept gets released.

December 5: CISA adds this to their Known Exploited Vulnerabilities catalog with a patch deadline of December 26.

From disclosure to active exploitation in hours, not days. This is the new reality.

Who’s Behind the Attacks

AWS threat intelligence identified several groups moving fast on this. Earth Lamia has been active since 2023, hitting targets across Latin America, the Middle East, and Southeast Asia. Jackpot Panda runs cyberespionage operations throughout Asia. UNC5174 has links to China’s Ministry of State Security.

What’s particularly concerning is how these attackers are working. AWS researchers noted that threat actors aren’t just running automated scans. They’re “actively debugging and refining their exploitation techniques against live targets.” One attacker at IP 183.6.80.214 spent nearly an hour systematically troubleshooting their exploitation attempts. This isn’t spray and pray. This is methodical.

What Attackers Are Doing

The attack patterns we’re seeing include basic reconnaissance like running whoami and enumerating systems. Credential theft is happening, specifically AWS credentials being exfiltrated. Malware deployment includes Cobalt Strike beacons, Sliver C2 frameworks, and cryptominers. File operations involve reading /etc/passwd and writing persistence mechanisms.

These aren’t random script kiddies. These are sophisticated actors with resources and patience.

Patch Right Now

For React packages, update to version 19.0.1, 19.1.2, or 19.2.1.

For Next.js, upgrade to the latest patched version in your release line. That means 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7 depending on which version you’re running.

Vercel released an automated fix tool that makes this easier:

npx fix-react2shell-next

Run that and it will check your versions and upgrade you to the safe releases.

Verify You’re Protected

Use detection tools to confirm you’re not vulnerable. Assetnote released a React2Shell scanner on GitHub. If you’re using Rapid7, Tenable, Wiz, or similar vulnerability scanners, they’ve already added detection for this.

More importantly, if you were running vulnerable versions before December 3, you need to investigate for compromise. Look for unusual outbound connections, new files in /tmp, unauthorized user accounts, and anomalies in AWS credential usage.

Cloud Provider Protections Aren’t Enough

Yes, major cloud providers deployed WAF rules. Vercel has platform level protections. AWS deployed their Sonaris defense system and updated WAF managed rules. Cloudflare pushed WAF rules for proxied traffic. Google Cloud and Azure have similar protections.

But here’s the thing. These are not substitutes for patching. WAF rules are defense in depth. They might catch some exploitation attempts. They won’t catch all of them. Patch your systems.

Why This Matters Beyond React

React2Shell represents something bigger than just another vulnerability. It’s a maximum severity flaw in one of the most widely used frameworks. Exploitation is trivial, just an HTTP request. State sponsored actors weaponized it in hours. Public proof of concepts are available everywhere.

The window between disclosure and exploitation has collapsed. It used to be days or weeks. Now it’s hours. Security teams need to adjust their patch cycles accordingly. Emergency patching outside of normal maintenance windows is the new normal for critical infrastructure.

Additional Resources

Official Security Advisories

The React team published their official security advisory at react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components. This page includes technical details about the vulnerability, affected versions, and patching instructions directly from the React maintainers.

Next.js has a dedicated security advisory at nextjs.org/blog/CVE-2025-66478 that specifically addresses how the vulnerability impacts Next.js applications using the App Router. Essential reading if you’re running Next.js in production.

Vulnerability Deep Dive

Lachlan Davidson, the security researcher who discovered this flaw, created react2shell.com as the official vulnerability resource. The site provides proof of concept details, clarifications about false positives, and ongoing updates about the threat landscape.

Threat Intelligence Reports

AWS published comprehensive threat intelligence at aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182. This report details active exploitation attempts, threat actor TTPs, and includes WAF rule templates for AWS customers.

Government Advisories

CISA added CVE-2025-55182 to their Known Exploited Vulnerabilities catalog, accessible at cisa.gov/known-exploited-vulnerabilities-catalog. Federal agencies have until December 26, 2025 to remediate, which should tell you how seriously the US government is taking this.

Detection and Remediation Tools

Assetnote released an open source scanner at github.com/assetnote/react2shell-scanner for identifying vulnerable instances in your environment.

Vercel’s automated patching tool is available via npm. Just run npx fix-react2shell-next or check the repository at github.com/vercel/next.js/tree/canary/packages/fix-react2shell-next for documentation.

Final Thoughts

CVE-2025-55182 is being actively exploited by sophisticated threat actors right now. The exploitation timeline from disclosure to active attacks in hours shows that patching windows are shrinking. Traditional patch cycles can’t keep up with this threat landscape.

If you’re running affected versions, stop what you’re doing and patch. This isn’t theoretical. This isn’t a future concern. This is happening right now.

For organizations needing help securing their React applications or conducting security assessments, Egnworks provides penetration testing and security consulting services.