The vulnerability disclosure cycle has entered a new era, one where the gap between publication and weaponization is measured in minutes, not days. It has been confirmed that China-nexus threat actors began actively exploiting a critical React Server Components flaw, React2Shell, only hours after its public release.  

The vulnerability, tracked as CVE-2025-55182, impacts React Server Components across React 19.x and Next.js 15.x/16.x deployments using the App Router and carries a CVSS 10.0 severity rating, enabling unauthenticated remote code execution (RCE). 

CISA immediately added the flaw to its Known Exploited Vulnerabilities catalog, stating: 
“CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.” 

The Researcher’s PoCs and the Mechanism of Exploitation 

Lachlan Davidson, who has been attributed with finding this flaw, published the original PoCs on GitHub, explaining: 

“As public PoCs are circulating and Google’s Scanner uses a variation of my original submitted PoC, it’s finally a responsible time to share my original PoCs for React2Shell.” 

Davidson released three PoCs, 00-very-first-rce-poc, 01-submitted-poc.js, and 02-meow-rce-poc, and summarized the attack chain: 

• “$@x gives you access to a Chunk” 

• “We plant its then on our own object” 

• “The JS runtime automatically unravels nested promises” 

• “We now re-enter the parser, but with control of a malicious fake Chunk object” 

• “Planting things on _response lets us access a lot of gadgets” 

• “RCE” 

He also noted that “the publicly recreated PoC… did otherwise use the same _formData gadget that mine did”, though the chaining primitive in his then implementation was not universally adopted. 

Rapid Weaponization by China-Nexus Groups 

AWS detected exploitation beginning within hours of public disclosure on December 3, based on telemetry from its MadPot honeypot infrastructure. The actors included: 

• Earth Lamia, known for targeting financial, logistics, and government sectors across Latin America, MENA, and Southeast Asia. 

• Jackpot Panda, primarily focused on East and Southeast Asian organizations aligned with domestic security interests. 

AWS stated, “China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalizing public exploits within hours or days of disclosure.” 

Attackers overwhelmingly prioritized speed over precision, firing flawed and incomplete public PoCs at large swaths of the internet in a high-volume scanning wave. Many PoCs made unrealistic assumptions, such as assuming exposed fs, vm, or child_process modules that never appear in real deployments.  

Yet this volume-based strategy still identifies edge-case vulnerable configurations. 

Technical Analysis: React2Shell in the RSC Flight Protocol 

CRIL (Cyble Research and Intelligence Labs) found that at its core, CVE-2025-55182 (React2Shell) is an unsafe deserialization flaw in the React Server Components Flight protocol. It affects: 

• react-server-dom-webpack 

• react-server-dom-parcel 

• react-server-dom-turbopack 

Across React versions 19.0.0–19.2.0, patched in 19.0.1, 19.1.2, and 19.2.1. 

Next.js is additionally vulnerable under CVE-2025-66478, impacting all versions from 14.3.0-canary.77, all unpatched 15.x builds, and all 16.x releases before 16.0.7. 

Attack telemetry showed: 

• Automated scanners with user-agent randomization 

• Parallel exploitation of CVE-2025-1338 

• Immediate PoC adoption regardless of accuracy 

• Manual exploitation attempts, including whoami, id, and /etc/passwd reads 

• File write attempts such as /tmp/pwned.txt 

A concentrated cluster originating from 183[.]6.80.214 executed 116 requests over 52 minutes, demonstrating active operator involvement. 

Cloudflare’s Emergency Downtime While Mitigating React2Shell 

The severity of React2Shell (CVE-2025-55182) was spotlighted when Cloudflare intentionally took down part of its own network to apply emergency defenses. The outage affected 28% of Cloudflare-served HTTP traffic early Friday. 

Cloudflare CTO Dane Knecht clarified that the disruption “was not caused, directly or indirectly, by a cyberattack… Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components.” 

This incident unfolded as researchers observed attackers hammering the vulnerability, alongside waves of legitimate and fraudulent proofs of concept circulating online. 

Global Warnings Ring-In 

The Australian Cyber Security Centre (ACSC) issued a public notice, stating, “This alert is relevant to all Australian businesses and organizations… ASD’s ACSC is aware of a critical vulnerability in React Server Components… Organizations should review their networks for vulnerable instances of these packages and upgrade to fixed versions.” 

Organizations must assume that scanning React2Shell is continuous and widespread. ACSC outlined some Immediate steps for mitigation. 

1. Update all React/Next.js deployments: Verify versions against vulnerable ranges and upgrade to patched releases. 

2. Enable AWS WAF interim protection rules: These block known exploit sequences during patching windows. 

3. Review logs for exploitation indicators: Look for malformed RSC payloads, next-action or rsc-actionid headers, and repeated sequential failures. 

4. Inspect backend systems for post-exploitation behavior: Unexpected execution, unauthorized file writes, or suspicious commands. 

Conclusion 

The exploitation of React2Shell (CVE-2025-55182) shows how quickly high-severity vulnerabilities in critical and widely adopted components can be weaponized. China-nexus groups and opportunistic actors began targeting the flaw within minutes of disclosure, using shared infrastructure and public PoCs, accurate or not, to launch high-volume attacks. Organizations using React or Next.js App Router must patch immediately and monitor for iterative, operator-driven activity. 

Given this tempo, organizations need intelligence and automation that operate in real time. Cyble, ranked #1 globally in Cyber Threat Intelligence Technologies by Gartner Peer Insights, provides AI-native security capabilities through platforms such as Cyble Vision and Blaze AI. These systems identify threats early, correlate IOCs across environments, and automate response actions. 

Schedule a personalized demo to evaluate how AI-native threat intelligence can strengthen your security posture against vulnerabilities like React2Shell. 

Indicators of Compromise 

• 206[.]237.3.150 

• 45[.]77.33.136 

• 143[.]198.92.82 

• 183[.]6.80.214 

MITRE ATT&CK Techniques 

Tactic	Technique ID	Technique Name
Initial Access	T1190	Exploit Public-Facing Application
Privilege Escalation	T1068	Exploitation for Privilege Escalation

References:

• https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-catalog 

• https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc 

• https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ 

• https://nvd.nist.gov/vuln/detail/CVE-2025-55182 

• https://blog.cloudflare.com/5-december-2025-outage/