China-nexus menace teams are racing to weaponize the brand new React2Shell bug, tracked as CVE-2025-55182, solely hours after its public disclosure.
The flaw sits in React Server Parts and lets an attacker run code on the server with out logging in. Early scans present broad probing of internet-facing React and Subsequent[.]js apps, with a deal with high-value cloud workloads.
The bug hits React 19.x and Subsequent[.]js 15.x and 16.x when the App Router characteristic is in use. Even apps that don’t name server actions are in danger so long as they help React Server Parts.
This makes the publicity giant for groups which have adopted the newest React stack however haven’t but patched.
AWS safety analysts and researchers recognized stay React2Shell exploit site visitors of their MadPot honeypot community inside hours of the advisory going public.
They then pushed new defenses by means of Sonaris and up to date AWS WAF managed guidelines, whereas warning that these layers don’t change quick patching on customer-run EC2, containers, and on-prem hosts.
Visitors linked to China-nexus teams similar to Earth Lamia and Jackpot Panda exhibits lively testing of public proof-of-concept code in opposition to actual apps.
Some clusters spend near an hour fine-tuning payloads, making an attempt instructions like whoami, id, file writes to /tmp/’pwned’.txt, and reads of /and so on/’passwd’.
FieldDetailCVECVE-2025-55182NameReact2ShellCWE / ClassUnsafe deserialization in React Server ComponentsSeverity (CVSS)10.0, criticalAffected stackReact 19.x; Subsequent.js 15.x, 16.x with App RouterAttack vectorRemote, unauthenticated HTTP POSTImpactRemote code execution on the Node.js serverKey HTTP indicators‘next-action‘, ‘rsc-action-id‘, ‘$”@‘, “standing”:”resolved_model”
An infection circulation and exploit chain
This part provides a whole technical breakdown in clear, easy phrases. A typical React2Shell assault begins with a crafted POST request to a React Server Parts endpoint.
The physique holds a pretend “motion” payload that abuses the unsafe deserialize step to inject JavaScript on the server.
A easy instance seems to be like this:-
‘POST /_rsc HTTP/1[.]1’
Host: sufferer[.]instance
Content material-Kind: utility/json
{“next-action”:”‘$@’malicious_payload”,”standing”:”resolved_model”}
As soon as the payload lands, the server might spawn shell instructions, contact recordsdata in / ‘tmp‘, or open new outbound connections from the Node course of.
Many public exploits are damaged, however attackers nonetheless fireplace them at scale, filling logs with noise and hiding working chains.
Groups ought to hunt for these headers and patterns, plus odd little one processes from Node[.]js; this highlights these indicators for quick assessment by incident responders.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
