Last updated on 9 December.

A critical vulnerability in React Server Components is allegedly being actively exploited by multiple Chinese threat actors, Recorded Future recommends organizations patch their systems immediately.

What's Happening

CVE-2025-55182, dubbed "React2Shell," affects React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0 in several Meta packages. Amazon's AWS Threat Intelligence team reported on December 4 that Chinese threat groups including Earth Lamia, Jackpot Panda, and several untracked clusters are actively exploiting this vulnerability. However, AWS has not provided any further evidence for these attributions beyond IP addresses allegedly used by these threat groups. At this stage, Insikt Group cannot exclude the possibility that the same threat group might still be using the IP address 206[.]237[.]3[.]150, but we are currently unable to verify AWS’s attribution to Earth Lamia.

The vulnerability stems from unsafe payload deserialization at React Server Function endpoints. When successfully exploited, attackers can execute arbitrary code through crafted HTTP requests, potentially leading to complete backend compromise.

The Scale of the Problem

According to Wiz Security's analysis, approximately 39% of scanned cloud environments contain vulnerable React instances. More concerning, their research shows that exploitation attempts have a near 100% success rate.

Beyond React Server Components, the vulnerability affects popular frameworks and libraries that bundle react-server, including:

• Next.js
• React Router
• Waku
• Redwood SDK
• RSC plugins for Parcel and Vite

Timeline of Events

The situation unfolded rapidly:

• December 3, 2025: React Team disclosed the vulnerability and released patches
• December 3, 2025: Recorded Future authored a signature to detect CVE-2025-55182 via attack surface scans
• December 3, 10 PM UTC: Datadog researchers identified 80 threat actor-linked IP addresses scanning for the vulnerability
• December 4, 2025: Amazon reported active exploitation by Chinese threat groups

Who's Behind the Attacks

According to Recorded Future's Insikt Group, IP address 143[.]198[.]92[.]82 is highly likely an exit node for the Chinese relay network HiddenOrbit (RedRelay). HiddenOrbit is a relay network used by multiple Chinese state-sponsored threat activity groups to obfuscate malicious activity and hinder attribution and tracking efforts.

Proof-of-Concept Exploits Available

Multiple proof-of-concept (PoC) exploits have been published demonstrating how to exploit CVE-2025-55182. The most credible comes from researcher Lachlan Davidson, who initially discovered and disclosed the vulnerability.

Davidson's PoC works by:

1. Crafting an HTTP POST request with a JSON payload embedded as "multipart/form-data"
2. Mimicking Server Action calls with specific headers
3. Sending the request to Next.js or Waku RSC endpoints
4. Triggering automatic deserialization that executes the malicious payload

While numerous additional PoCs have emerged since disclosure, both Davidson and AWS Security caution that many are of questionable quality and rely on unrealistic victim configurations in most React-based environments.

What You Need to Do Now

Organizations using React must act immediately:

1. Identify Vulnerable Assets

Determine whether your publicly accessible React-based applications are vulnerable using Assetnote's react2shell-scanner. You can also check locally by running:

npm run audit

If vulnerable, you should see a critical severity warning about Next.js RCE vulnerability.

Get the Insikt Group® Nuclei template. Download our YAML file. The template safely checks if an RSC/Next.js application is vulnerable to CVE-2025-55182 by sending a crafted Server Actions-style POST request that mimics an RSC multipart form upload. It generates random request IDs, sets RSC/Next.js-specific headers, and sends a minimal payload designed to hit the deserialization path without executing arbitrary code.

2. Apply Patches Immediately

The React Team released patches for all affected versions:

• Version 19.0.1 (for 19.0)
• Version 19.1.2 (for 19.1.0 and 19.1.1)
• Version 19.2.1 (for 19.2.0)

Both React and Next.js have published detailed mitigation guidelines.

• React
• Next.js

3. Block Malicious IP Addresses

Consider blocklisting the IP addresses identified in exploitation attempts:

• 143[.]198[.]92[.]82 (HiddenOrbit node), Insikt Group confirmed attribution to this China anonymization network
• 206[.]237[.]3[.]150 (suspected Earth Lamia but unconfirmed)
• 45[.]77[.]33[.]136 (suspected Jackpot Panda)
• 183[.]6[.]80[.]214 (unattributed)

Why This Matters

The combination of factors makes this vulnerability particularly dangerous:

• Likely exploitation by state-sponsored threat groups
• High success rate (near 100%)
• Widespread vulnerable deployments (39% of scanned environments)
• Multiple publicly available PoC exploits
• Recent disclosure means many systems remain unpatched

Recorded Future Recommendations

Developers implementing React in their tech stacks are strongly advised to determine whether publicly accessible assets using React frameworks are currently vulnerable to CVE-2025-55182. The best way to currently scan for vulnerable assets is by using Assetnote’s react2shell-scanner; however, the tool is associated with false positives, so patching is necessary in instances where vulnerability is disputed. DataDog Security Labs also notes that the vulnerability can be identified locally by running the command “npm run audit,” which should respond with the following message if your current local version of React is vulnerable:

$ npm audit report

next  16.0.0-canary.0 - 16.0.6
Severity: critical
Next.js is vulnerable to RCE in React flight protocol - https://github.com/advisories/GHSA-9qr9-h5gf-34mp

Due to the responsible disclosure of CVE-2025-55182, a patch for all affected versions of React is available. Both React and Next.js have published mitigation guidelines to follow, which can be found here:

• React
• Next.js

Given the severity and active exploitation, patching vulnerable React deployments should be treated as an urgent priority. The window between vulnerability disclosure and widespread exploitation continues to shrink, and threat actors are moving quickly to capitalize on unpatched systems.

Additionally, customers should consider deny-listing the IP addresses disclosed by AWS as involved in React2Shell exploitation.

Learn how to stay ahead of emerging threats. Understand all of the critical vulnerabilities that may be affecting your organization. Speak to our threat intelligence experts today.