Full Report
Two hacking groups with ties to China have been observed weaponizing the newly disclosed security flaw in React Server Components (RSC) within hours of it becoming public knowledge. The vulnerability in question is CVE-2025-55182 (CVSS score: 10.0), aka React2Shell, which allows unauthenticated remote code execution. It has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1. According
Analysis Summary
# Vulnerability: React2Shell - Unauthenticated Remote Code Execution in React Server Components
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: Not specified in source. (Likely related to Injection or Improper Input Validation)
## Affected Systems
- Products: React Server Components (RSC) within React framework.
- Versions: Versions prior to 19.0.1, 19.1.2, and 19.2.1.
- Configurations: Any environment utilizing vulnerable versions of React Server Components.
## Vulnerability Description
CVE-2025-55182, nicknamed "React2Shell," is a critical flaw in React Server Components (RSC) that permits unauthenticated remote code execution (RCE). The vulnerability allows remote attackers to execute arbitrary code on the server hosting the application.
## Exploitation
- Status: Exploited in the wild (Observed being weaponized by China-linked threat actors Earth Lamia and Jackpot Panda within hours of disclosure).
- Complexity: Low (Implied by unauthenticated RCE and rapid exploitation).
- Attack Vector: Network
## Impact
- Confidentiality: High (Observed attempts to read sensitive files like `/etc/passwd`).
- Integrity: High (Observed attempts to write files, e.g., `/tmp/pwned.txt`, indicative of code execution).
- Availability: High (RCE can lead to system compromise and denial of service).
## Remediation
### Patches
- React version 19.0.1
- React version 19.1.2
- React version 19.2.1
### Workarounds
- No specific workarounds were detailed in the source article, beyond immediate patching.
## Detection
- **Indicators of Compromise (IOCs):** Attempts to execute system discovery commands (`whoami`), attempts to write files to temporary directories (`/tmp/pwned.txt`), and reading configuration files (`/etc/passwd`).
- **Detection Methods and Tools:** Monitoring network traffic and server logs for unusual payloads or command execution patterns originating from external sources targeting RSC endpoints. Detection should also look for exploitation of other *n*-day vulnerabilities mentioned (e.g., CVE-2025-1338 in NUUO Camera) as part of a broader scanning campaign.
## References
- [Vendor advisory/Report regarding CVE-2025-55182 disclosure](https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html)
- [Report detailing exploitation by threat actors](https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/)
- [React2Shell research context](https://research.jfrog.com/post/react2shell/)