Beijing-linked hackers are hammering max-severity React bug, AWS warns

Steven

Beijing-linked hackers are hammering max-severity React bug, AWS warns

Summary

AWS has warned that China-linked state-nexus threat groups began actively exploiting a critical React Server Components vulnerability (CVE-2025-55182), dubbed “React2Shell”, within hours of public disclosure. Amazon’s MadPot honeypots logged scanning and exploit attempts tied to infrastructure associated with groups such as Earth Lamia and Jackpot Panda. The flaw allows unauthenticated remote code execution via unsafe deserialization in server-side React packages and affects frameworks that depend on those packages, including Next.js.

React released patched server-side builds the same day the vulnerability was disclosed, and AWS says it has deployed mitigations across managed services — but those countermeasures are not a substitute for patching. Security researchers estimate a large proportion of cloud environments remained vulnerable days after disclosure, and AWS urges organisations running React or Next.js on EC2, containers or self-managed hosts to update immediately.

Key Points

  • CVSS-10 vulnerability CVE-2025-55182 (React2Shell) enables unauthenticated remote code execution via unsafe deserialization in server-side React packages.
  • AWS observed active exploitation attempts within hours, using proof-of-concept payloads; attacks were logged in Amazon’s MadPot honeypot network.
  • China-nexus threat groups such as Earth Lamia and Jackpot Panda were implicated; opportunistic criminal actors are likely to follow.
  • React shipped patched releases for affected server packages on disclosure day; organisations must patch instances on EC2, containers and self-managed infra immediately.
  • A warning from some security observers stresses caution: emergency blunt mitigations can cause self-inflicted outages if applied indiscriminately.

Why should I read this?

Short version: attackers went from proof-of-concept to active exploitation in hours. If you’ve still got vulnerable React server packages live, you really need to patch now — no drama, just do it. We’ve skimmed the panic and pulled the essentials so you can act fast.

Context and relevance

This is significant because React is pervasive across modern web stacks and many server-side frameworks depend on its server packages. A maximum-severity RCE in those components creates a broad blast radius for compromise, data theft or further lateral attacks. The involvement of state-linked groups raises both the speed and sophistication of exploitation, shortening the window for safe remediation.

AWS’s detection and mitigations help cloud customers, but they underline two truths: public exploits get weaponised fast, and platform-level mitigations do not replace full patching and verification of self-managed services. Organisations should prioritise patching, verify exposure of server endpoints, and avoid knee-jerk, service-wide changes that might cause outages.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/12/05/aws_beijing_react_bug/