Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors

Dec. 21, 2025, 6:49 p.m.

Description

A critical vulnerability dubbed 'React2Shell' (CVE-2025-55182) in React Server Components is being actively exploited by Chinese threat actors. The flaw affects multiple versions and packages, allowing arbitrary code execution through crafted HTTP requests. Approximately 39% of scanned cloud environments contain vulnerable React instances, with exploitation attempts showing a near 100% success rate. The vulnerability impacts popular frameworks and libraries bundling react-server. Chinese state-sponsored groups, including Earth Lamia and Jackpot Panda, are reportedly involved in the attacks. Organizations are urged to identify vulnerable assets, apply patches immediately, and block malicious IP addresses associated with exploitation attempts.

External References

https://otx.alienvault.com/pulse/693709f0f23052bc9faefdc4
https://www.recordedfuture.com/blog/critical-react2shell-vulnerability
Tags
gobrat
chinese threat actors
arbitrary code execution
CVE-2025-55182
react2shell
2025-12-08
active exploitation
react server components

Date

  • Created: Dec. 8, 2025, 5:25 p.m.
  • Published: Dec. 8, 2025, 5:25 p.m.
  • Modified: Dec. 21, 2025, 6:49 p.m.

Indicators

  • 206.237.3.150
  • 183.6.80.214
Download all indicators here!

Attack Patterns

  • GobRAT
  • Earth Lamia, Jackpot Panda

Additional Informations

  • Technologies
  • China

Linked vulnerabilities

CVE-2025-55182

10.0
    Facebook
  • React
    Vercel
Published: December 3, 2025