“React2Shell” Storm: China-Nexus Groups Weaponize Critical React Flaw Hours After Disclosure
Ddos 
Only hours after the public disclosure of a critical vulnerability in the React ecosystem, state-sponsored cyber espionage groups have already launched active exploitation campaigns. Amazon threat intelligence teams report that multiple China-nexus threat groups, specifically Earth Lamia and Jackpot Panda, began operationalizing the flaw on December 3, 2025.
The vulnerability, dubbed React2Shell (CVE-2025-55182), carries a maximum CVSS score of 10.0. It affects applications running React versions 19.x and Next.js versions 15.x and 16.x using the App Router.
At its core, React2Shell is an “unsafe deserialization vulnerability” within React Server Components. This mechanism, intended to streamline server-client communication, can be manipulated by attackers to execute arbitrary code remotely without authentication.
Crucially, applications are vulnerable even if they don’t explicitly use server functions. Merely supporting React Server Components exposes the system to attack. The flaw is rated 10.0/10.0, indicating it is both easy to exploit and catastrophic in impact.
Amazon’s AWS MadPot honeypot infrastructure has provided a rare glimpse into how these state-sponsored actors operate. The report highlights a “quantity over quality” approach, where threat actors are “attempting to use public PoCs that don’t actually work in real-world scenarios.”
Despite many public exploits being flawed—often registering dangerous modules like fs or child_process that real apps wouldn’t have—threat actors use them anyway. This “volume-based approach” creates significant noise in logs but ensures that if a vulnerable target exists, it will eventually be hit.
While the attacks are linked to China-nexus groups, attribution is complicated by “shared anonymization infrastructure.”
- Earth Lamia: Known for targeting Latin America, the Middle East, and Southeast Asia across logistics, finance, and IT sectors.
- Jackpot Panda: Primarily targets East and Southeast Asia, focusing on domestic security and corruption intelligence.
The attacks are not purely automated. In one striking instance captured by MadPot on December 4, 2025, an unattributed threat cluster (IP: 183.6.80.214) spent nearly an hour manually troubleshooting an exploit against a target.
From 2:30 AM to 3:22 AM UTC, the attacker:
- Sent 116 total requests.
- Attempted to execute Linux reconnaissance commands like whoami and id.
- Tried to write files to /tmp/pwned.txt.
- Attempted to read sensitive system files like /etc/passwd.
This behavior confirms that sophisticated actors are “actively debugging and refining their exploitation techniques against live targets.”
Defenders should immediately search their logs for the following indicators identified by Amazon:
- HTTP Headers: Requests containing next-action or rsc-action-id.
- Payload Patterns: Request bodies containing $@ or “status”:”resolved_model”.
- Suspicious Activity: Attempts to read /etc/passwd or unexpected file writes to /tmp/.
Known IPs:
- 206.237.3.150 (Earth Lamia)
- 45.77.33.136 (Jackpot Panda)
- 183.6.80.214 (Unattributed Cluster)
Donate