AWS: China-linked threat actors weaponized React2Shell hours after disclosure

Multiple China-linked threat actors began exploiting the CVE-2025-55182, aka React2Shell flaw, within hours, AWS Security warns.

Multiple China-linked threat actors began exploiting the CVE-2025-55182, also known as the React2Shell flaw, within hours, according to AWS Security. The researchers confirmed that this vulnerability doesn’t affect AWS services, however they opted to share threat intelligence data to help customers running React or Next.js applications in their own environments take immediate action.

The vulnerability is a pre-authentication remote code execution vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The flaw comes from the code deserializing data from HTTP requests to Server Function endpoints without proper safety checks.

“A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.” reads the advisory. “The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.”

The researcher Lachlan Davidson reported the security vulnerability in React on November 29th. He explained that unsafe payload decoding in Server Function endpoints allows unauthenticated code execution. Apps using React Server Components may be exposed even without Server Function endpoints.

Versions 19.0.1, 19.1.2, and 19.2.1 addressed the flaw.

AWS Security observed exploitation attempts in AWS MadPot coming from infrastructure tied to China-linked groups Earth Lamia and Jackpot Panda. Earth Lamia typically exploits web app flaws to target organizations across LATAM, the Middle East, and Southeast Asia, while Jackpot Panda focuses on East and Southeast Asia for intelligence tied to security and corruption. Both operate through large shared anonymization networks widely used in Chinese cyber operations, which mask attacker identity and make precise attribution difficult.

“Our analysis of exploitation attempts in AWS MadPot honeypot infrastructure has identified exploitation activity from IP addresses and infrastructure historically linked to known China state-nexus threat actors.” reads the report published by AWS Security. “Large-scale anonymization networks have become a defining characteristic of Chinese cyber operations, enabling reconnaissance, exploitation, and command-and-control activities while obscuring attribution. These networks are used by multiple threat groups simultaneously, making it difficult to attribute specific activities to individual actors.”

Most unattributed activity uses China-linked ASNs, indicating the region as the main source. Groups rapidly weaponize public PoCs as soon as they appear online.

Threat actors use automated scanners and PoC exploits to target CVE-2025-55182 and other N-days like CVE-2025-1338, rapidly integrating public exploits and running broad multi-CVE campaigns. Many public PoCs are flawed, yet still used, reflecting a focus on speed, volume, and low entry barriers. Failed attempts create significant log noise, potentially masking more sophisticated attacks.

“Analysis of data from MadPot reveals the persistent nature of these exploitation attempts. In one notable example, an unattributed threat cluster associated with IP address 183[.]6.80.214 spent nearly an hour (from 2:30:17 AM to 3:22:48 AM UTC on December 4, 2025) systematically troubleshooting exploitation attempts.” concludes the report. “This behavior demonstrates that threat actors aren’t just running automated scans, but are actively debugging and refining their exploitation techniques against live targets.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)