Researchers warn that critical vulnerabilities in Meta’s React Server Components and Next.js are under threat from botnets and state-linked adversaries.
China-nexus threat groups, tracked as Earth Lamia and Jackpot Panda, attempted to exploit a vulnerability tracked as CVE-2025-55182 in React, within a few hours of the flaw being disclosed on Wednesday, according to a blog post released Thursday by CJ Moses, chief information security officer at Amazon.
The vulnerability, dubbed React2Shell, enables an unauthenticated attacker to achieve remote code execution due to unsafe deserialization of payloads sent to React Server Function endpoints.
Palo Alto Networks has identified more than 30 organizations hit by threat activity. Researchers link the exploitation to a state linked group tracked as CL-STA-1015, also known as UNC5174, an initial access broker with ties to the Chinese Ministry of State Security.
“We have observed scanning for vulnerable RCE, reconnaissance activity, attempted theft of AWS configuration and credential files, as well installation of downloaders to retrieve payloads from attacker command and control infrastructure,” Justin Moore, senior manager, threat intel research Unit 42 at Palo Alto Networks told Cybersecurity Dive.
During the attacks, Snowlight and Vshell malware was also deployed, according to Moore. .
Researchers at GreyNoise are reporting opportunistic, mostly automated attempts to exploit React2Shell, according to a blog post published Friday. They are beginning to see a slow migration of the flaw being “added to Mirai and other botnet exploitation kits,” according to GreyNoise.
The Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog on Friday.
Researchers at Palo Alto Networks said nearly 970,000 servers run modern frameworks like React and Next.js, and the risk is widespread.
“This newly discovered flaw is a critical threat because it is a master key exploit, succeeding not by crashing the system, but by abusing its trust in incoming data structures,” said Moore. “The system executes the malicious payload with the same reliability as legitimate code because it operates exactly as intended, but on malicious input.”
Security researcher Lachlan Davidson disclosed the vulnerability to React on Nov. 29 through the Meta Bug Bounty program. React issued a patch for the flaw on Wednesday and urged users to apply immediate upgrades.
Editor’s note: Updates story with additional comment from Palo Alto Networks.
