React2Shell (CVE-2025-55182) was exploited inside minutes by China-nexus teams, exposing crucial weaknesses in React Server Elements.
The vulnerability disclosure cycle has entered a brand new period, one the place the hole between publication and weaponization is measured in minutes, not days. It has been confirmed that China-nexus risk actors started actively exploiting a crucial React Server Elements flaw, React2Shell, solely hours after its public launch.
The vulnerability, tracked as CVE-2025-55182, impacts React Server Elements throughout React 19.x and Subsequent.js 15.x/16.x deployments utilizing the App Router and carries a CVSS 10.0 severity ranking, enabling unauthenticated distant code execution (RCE).
CISA instantly added the flaw to its Recognized Exploited Vulnerabilities catalog, stating:
“CISA has added one new vulnerability to its Recognized Exploited Vulnerabilities (KEV) Catalog, based mostly on proof of energetic exploitation.”
The Researcher’s PoCs and the Mechanism of Exploitation
Lachlan Davidson, who has been attributed with discovering this flaw, printed the unique PoCs on GitHub, explaining:
“As public PoCs are circulating and Google’s Scanner makes use of a variation of my authentic submitted PoC, it’s lastly a accountable time to share my authentic PoCs for React2Shell.”
Davidson launched three PoCs, 00-very-first-rce-poc, 01-submitted-poc.js, and 02-meow-rce-poc, and summarized the assault chain:
- “$@x offers you entry to a Chunk”
- “We plant its then on our personal object”
- “The JS runtime robotically unravels nested guarantees”
- “We now re-enter the parser, however with management of a malicious faux Chunk object”
- “Planting issues on _response lets us entry a number of devices”
He additionally famous that “the publicly recreated PoC… did in any other case use the identical _formData gadget that mine did”, although the chaining primitive in his then implementation was not universally adopted.
Speedy Weaponization by China-Nexus Teams
AWS detected exploitation starting inside hours of public disclosure on December 3, based mostly on telemetry from its MadPot honeypot infrastructure. The actors included:
- Earth Lamia, identified for concentrating on monetary, logistics, and authorities sectors throughout Latin America, MENA, and Southeast Asia.
- Jackpot Panda, primarily centered on East and Southeast Asian organizations aligned with home safety pursuits.
AWS acknowledged, “China continues to be essentially the most prolific supply of state-sponsored cyber risk exercise, with risk actors routinely operationalizing public exploits inside hours or days of disclosure.”
Attackers overwhelmingly prioritized pace over precision, firing flawed and incomplete public PoCs at massive swaths of the web in a high-volume scanning wave. Many PoCs made unrealistic assumptions, akin to assuming uncovered fs, vm, or child_process modules that by no means seem in actual deployments.
But this volume-based technique nonetheless identifies edge-case susceptible configurations.
Technical Evaluation: React2Shell within the RSC Flight Protocol
CRIL (Cyble Analysis and Intelligence Labs) discovered that at its core, CVE-2025-55182 (React2Shell) is an unsafe deserialization flaw within the React Server Elements Flight protocol. It impacts:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Throughout React variations 19.0.0–19.2.0, patched in 19.0.1, 19.1.2, and 19.2.1.
Subsequent.js is moreover susceptible beneath CVE-2025-66478, impacting all variations from 14.3.0-canary.77, all unpatched 15.x builds, and all 16.x releases earlier than 16.0.7.
Assault telemetry confirmed:
- Automated scanners with user-agent randomization
- Parallel exploitation of CVE-2025-1338
- Instant PoC adoption no matter accuracy
- Guide exploitation makes an attempt, together with whoami, id, and /and so forth/passwd reads
- File write makes an attempt akin to /tmp/pwned.txt
A concentrated cluster originating from 183[.]6.80.214 executed 116 requests over 52 minutes, demonstrating energetic operator involvement.
Cloudflare’s Emergency Downtime Whereas Mitigating React2Shell
The severity of React2Shell (CVE-2025-55182) was spotlighted when Cloudflare deliberately took down half of its personal community to use emergency defenses. The outage affected 28% of Cloudflare-served HTTP visitors early Friday.
Cloudflare CTO Dane Knecht clarified that the disruption “was not brought about, straight or not directly, by a cyberattack… As a substitute, it was triggered by adjustments being made to our physique parsing logic whereas trying to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Elements.”
This incident unfolded as researchers noticed attackers hammering the vulnerability, alongside waves of professional and fraudulent proofs of idea circulating on-line.
International Warnings Ring-In
The Australian Cyber Safety Centre (ACSC) issued a public discover, stating, “This alert is related to all Australian companies and organizations… ASD’s ACSC is conscious of a crucial vulnerability in React Server Elements… Organizations ought to assessment their networks for susceptible situations of those packages and improve to fastened variations.”
Organizations should assume that scanning React2Shell is steady and widespread. ACSC outlined some Instant steps for mitigation.
- Replace all React/Subsequent.js deployments: Confirm variations towards susceptible ranges and improve to patched releases.
- Allow AWS WAF interim safety guidelines: These block identified exploit sequences throughout patching home windows.
- Evaluate logs for exploitation indicators: Search for malformed RSC payloads, next-action or rsc-actionid headers, and repeated sequential failures.
- Examine backend programs for post-exploitation habits: Sudden execution, unauthorized file writes, or suspicious instructions.
Conclusion
The exploitation of React2Shell (CVE-2025-55182) reveals how shortly high-severity vulnerabilities in crucial and broadly adopted elements could be weaponized. China-nexus teams and opportunistic actors started concentrating on the flaw inside minutes of disclosure, utilizing shared infrastructure and public PoCs, correct or not, to launch high-volume assaults. Organizations utilizing React or Subsequent.js App Router should patch instantly and monitor for iterative, operator-driven exercise.
Given this tempo, organizations want intelligence and automation that function in actual time. Cyble, ranked #1 globally in Cyber Menace Intelligence Applied sciences by Gartner Peer Insights, supplies AI-native safety capabilities by means of platforms akin to Cyble Imaginative and prescient and Blaze AI. These programs determine threats early, correlate IOCs throughout environments, and automate response actions.
Schedule a customized demo to guage how AI-native risk intelligence can strengthen your safety posture towards vulnerabilities like React2Shell.
Indicators of Compromise
MITRE ATT&CK Methods
| Tactic | Method ID | Method Title |
| Preliminary Entry | T1190 | Exploit Public-Dealing with Utility |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
