React2Shell Vulnerability Under Attack from China-Nexus Groups
Summary
CVE-2025-55182 (nicknamed “React2Shell”) is a maximum-severity unauthenticated remote code execution (RCE) bug in React Server Components affecting several react-server-dom packages and React 19.x releases. A related maximum-severity downstream issue, CVE-2025-66478, impacts Next.js. Patches for React (19.0.1, 19.1.2, 19.2.1) and guidance/patches for Next.js are available and should be applied immediately.
Key Points
- CVE-2025-55182 is an unauthenticated RCE caused by unsafe deserialization in React Server Components; CVSS score: 10.
- Multiple China-nexus threat groups (e.g., Earth Lamia, Jackpot Panda) began active exploitation attempts within hours of disclosure.
- Attackers are using automated scanners and public PoC exploits; some PoCs are non-functional but others have been validated.
- Downstream frameworks like Next.js are affected (CVE-2025-66478); framework maintainers (e.g., Vercel) have published mitigations and patches.
- Defensive responses (WAF rules, vendor mitigations) have caused collateral impacts — for example, Cloudflare deployed protections that briefly affected service.
- Organisations should patch now and assume broad scanning/exploitation activity is ongoing or imminent.
Context and Relevance
This vulnerability targets one of the most widely used frontend libraries; React’s ubiquity means a large attack surface across websites and applications. The swift exploitation by China-linked groups shows the modern trend: attackers integrate newly disclosed CVEs into automated scanning rigs within hours.
The story matters for developers, security engineers and ops teams because unpatched server-side React components can allow pre-auth RCE — a direct path to data theft, ransomware, or supply-chain compromise. The incident also underscores how downstream frameworks (Next.js) and cloud protection services are pulled into the fallout.
Why should I read this?
Look — it’s urgent. If you run React Server Components or Next.js, this is the one you don’t want lingering unpatched. Attackers slapped PoCs into scanners within hours and are already probing infrastructure. Read the details so you can patch, deploy mitigations and stop a nasty surprise later.
Author note
Punchy summary: this is a top-tier, high-impact bug with active exploitation. If your stack touches React 19.x server components or Next.js, treat this like a red alert — apply vendor patches and WAF rules where appropriate, and validate your inventories and CI/CD pipelines for vulnerable packages.