China-Linked Attacks Exploit Critical Flaw in React2Shell: A Closer Look

Following the disclosure of a critical vulnerability affecting React and Next.js, multiple threat actors linked to China wasted no time in exploiting the React2Shell flaw (CVE-2025-55182).

React2Shell exposes an insecure deserialization vulnerability in the React Server Components (RSC) ‘Flight’ protocol. The exploitation of this vulnerability does not require authentication and enables the remote execution of JavaScript code within the server’s context.

While a similar vulnerability, CVE-2025-66478, was identified for the Next.js framework, it was rejected as a duplicate of CVE-2025-55182 in the National Vulnerability Database’s CVE list.

The ease of exploiting the security issue is evident through the publication of several proof-of-concept (PoC) exploits, heightening the risk of related threat activities.

The widespread nature of the vulnerability, spanning various versions of the library, poses a significant risk to thousands of dependent projects. Wiz researchers estimate that 39% of the cloud environments they observe are vulnerable to React2Shell attacks.

Although React and Next.js have released security updates, the vulnerability remains trivially exploitable without authentication, even in the default configuration.

React2Shell Attacks Unleashed

Amazon Web Services (AWS) issued a warning indicating that threat actors associated with China, specifically Earth Lamia and Jackpot Panda, swiftly initiated exploitation of the React2Shell vulnerability following its public disclosure.

According to an AWS report, “Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.”

Additionally, AWS’s monitoring systems detected malicious activity originating from China-based infrastructure, although not directly linked to known threat clusters.

The utilization of shared anonymization infrastructure among attacking clusters further complicates individualized tracking and attribution efforts.

Earth Lamia primarily targets web application vulnerabilities, focusing on entities in financial services, logistics, retail, IT, universities, and government sectors across Latin America, the Middle East, and Southeast Asia.

Conversely, Jackpot Panda’s targets are typically located in East and Southeast Asia, with a focus on gathering intelligence related to corruption and domestic security.

Proof-of-Concept Exploits Emerge

The researcher who initially discovered and reported the React2Shell vulnerability, Lachlan Davidson, cautioned about the circulation of fake exploits online. However, confirmed valid exploits by researchers such as Stephen Fewer from Rapid7 and Joe Desimone from Elastic Security have surfaced on GitHub.

The observed attacks by AWS involve a combination of public exploits, including faulty ones, alongside iterative manual testing and real-time troubleshooting in targeted environments.

The malicious activities include repeated attempts with varied payloads, such as Linux command executions (e.g., ‘whoami,’ ‘id’), efforts to create files (‘/tmp/pwned.txt’), and attempts to read ‘/etc/passwd/.’

AWS researchers noted, “This behavior demonstrates that threat actors aren’t just running automated scans, but are actively debugging and refining their exploitation techniques against live targets.”

Assetnote’s Attack Surface Management (ASM) platform has released a React2Shell scanner on GitHub, enabling users to assess if their environment is susceptible to React2Shell attacks.