Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors

A critical vulnerability (CVE-2025-55182, dubbed 'React2Shell') in React Server Components versions 19.0-19.2.0 is under active exploitation by Chinese threat actors. The flaw stems from unsafe payload deserialization at React Server Function endpoints, enabling attackers to execute arbitrary code through crafted HTTP requests, potentially leading to complete backend compromise. AWS Threat Intelligence attributes exploitation to Earth Lamia and Jackpot Panda groups, though Insikt Group notes attribution cannot be fully verified. Organizations using affected Meta packages should patch immediately given the critical severity and active exploitation in the wild. The vulnerability poses significant risk to web application backends running vulnerable React implementations.

A critical vulnerability in React Server Components is allegedly being actively exploited by multiple Chinese threat actors, Recorded Future recommends organizations patch their systems immediately.

A critical vulnerability (CVE-2025-55182, dubbed 'React2Shell') in React Server Components versions 19.0-19.2.0 is under active exploitation by Chinese threat actors. The flaw stems from unsafe payload deserialization at React Server Function endpoints, enabling attackers to execute arbitrary code through crafted HTTP requests, potentially leading to complete backend compromise. AWS Threat Intelligence attributes exploitation to Earth Lamia and Jackpot Panda groups, though Insikt Group notes attribution cannot be fully verified. Organizations using affected Meta packages should patch immediately given the critical severity and active exploitation in the wild. The vulnerability poses significant risk to web application backends running vulnerable React implementations. A critical vulnerability in React Server Components is allegedly being actively exploited by multiple Chinese threat actors, Recorded Future recommends organizations patch their systems immediately. Last updated on 9 December. A critical vulnerability in React Server Components is allegedly being actively exploited by multiple Chinese threat actors, Recorded Future recommends organizations patch their systems immediately. What's Happening CVE-2025-55182, dubbed "React2Shell," affects React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0 in several Meta packages. Amazon's AWS Threat Intelligence team reported on December 4 that Chinese threat groups including Earth Lamia, Jackpot Panda, and several untracked clusters are actively exploiting this vulnerability. However, AWS has not provided any further evidence for these attributions beyond IP addresses allegedly used by these threat groups. At this stage, Insikt Group cannot exclude the possibility that the same threat group might still be using the IP address 206[.]237[.]3[.]150, but we are currently unable to verify AWS’s attribution to Earth Lamia. The vulnerability stems from unsafe payload deserialization at React Server Function endpoints. When successfully exploited, attackers can execute arbitrary code through crafted HTTP requests, potentially leading to complete backend compromise. CVE-2025-55182 (React2Shell) Intelligence Card®