Remote code execution (RCE) vulnerability in React JavaScript Librarywhich caused internet disruptions earlier today as Cloudflare proposed mitigation measures Live on its network is reportedly currently being used by multiple attackers on a large scale.
Meta supportedReact is an open source resource designed to allow developers to create user interfaces (UI) for both native and web applications.
The vulnerability in question is assigned CVE-2025-55182 and dubbed React2Shell in the cyber community, is a critically reviewed RCE pre-authentication vulnerability in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of the React backend components that exploits a bug in the way they decode payloads sent to React function endpoints.
This means that making a malicious HTTP request to a server function endpoint means that an attacker could be able to run arbitrary code on the target server.
It was added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) catalog on Friday, December 5, and according to Amazon Web Services (AWS) CISO and VP of Security Engineering C.J. Moses, rapid exploitation is believed to be the main culprit. Threat actors associated with China.
Moses warned that China's habit of sharing large-scale anonymization infrastructure across multiple state-backed threat actors makes it difficult to establish precise attribution, but following the disclosure on Wednesday, December 3, groups tracked as Earth Lamia and Jackpot Panda were seen using React2Shell.
“China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely using public exploits within hours or days of disclosure,” he wrote.
“Thanks to monitoring in our ABC Crazy Sweat Honeypots, Amazon's threat intelligence teams have identified both known groups and previously untraceable threat clusters attempting to exploit CVE-2025-55182.”
Earth Lamia is well known for exploiting web application vulnerabilities against organizations located primarily in Latin America, the Middle East and Southeast Asia, with a particular focus on educational institutions, financial services organizations, government agencies, IT companies, logistics firms and retailers.
Jackpot Panda, according to AWS, targets companies in East and Southeast Asia, with its operations aligned with China's corruption and homeland security goals.
Massive attack
With messages suggesting there may be more than 950,000 With servers running vulnerable platforms such as React and Next.js, Radware threat researchers have warned of a huge potential attack surface.
React and Next.js are widely used for their efficiency and flexibility, and their robust ecosystems make them the default choice for many developers—and that's why they can be found everywhere from consumer-facing mobile apps and websites to enterprise-grade platforms, Radware says.
“Such a widespread dependency means that one critical bug can have cascading consequences across large parts of modern web infrastructure,” the Radware team said. “A significant number of applications in public and private clouds are immediately available for use, requiring urgent and widespread action.”
Michael Bell, Founder and CEO Suzu Labspenetration testing and artificial intelligence security specialist, said hours from information disclosure to active exploitation by state actors have become the new normal, and the situation is likely to get worse.
“China-linked groups have industrialized their response to vulnerabilities: They monitor information disclosures, capture public PoCs – even broken ones – and distribute them on a large scale before most organizations have finished reading the advisory,” he said.
“The AWS report showing attackers debugging exploits in real time against honeypots demonstrates that this is not automated scanning; it's the keyboard operators rushing to establish stability before patches are released.
“As AI tools become increasingly capable of analyzing exposed vulnerabilities and generating exploit codes, we can expect the window between information being exposed and being weaponized to shrink from hours to minutes,” Bell said.
He added that Cloudflare's earlier crash on an emergency patch “tells you all about the severity calculation.”
