China-nexus threat groups are actively exploiting a newly disclosed vulnerability in React Server Components, dubbed “React2Shell,” just hours after its public release. The critical flaw, identified as CVE-2025-55182, allows unauthenticated attackers to execute arbitrary code on the server-side of web applications. Early observations indicate widespread scanning of internet-facing React and Next.js applications, with a particular focus on high-value cloud environments.
The React2Shell vulnerability impacts React version 19.x and Next.js versions 15.x and 16.x when utilizing the App Router feature. Importantly, even applications not explicitly using server actions are vulnerable as long as they support React Server Components, significantly expanding the potential attack surface for organizations that have adopted these modern web development stacks but have not yet applied necessary patches.
React2Shell Vulnerability Draws Immediate Threat Actor Attention
Security analysts and researchers first observed live exploit traffic targeting the React2Shell flaw within their MadPot honeypot network shortly after the advisory went public. This rapid exploitation underscores the urgency for developers to address the vulnerability. While security vendors have responded by pushing out new defenses and updating managed rules, they emphasize that these measures do not negate the fundamental need for prompt patching on customer-managed infrastructure.
Evidence suggests that China-nexus-aligned groups, including those tracked as Earth Lamia and Jackpot Panda, are among the first to weaponize this exploit. These threat actors have been observed actively testing public proof-of-concept code against live applications, indicating a concerted effort to leverage the vulnerability for malicious purposes. Some attack clusters have been observed dedicating significant time to meticulously crafting payloads, attempting common commands such as whoami and id, and experimenting with file operations like writing to /tmp/'pwned'.txt and reading from /etc/'passwd'.
The React2Shell vulnerability (CVE-2025-55182) carries a critical severity rating with a CVSS score of 10.0. Its attack vector is remote and unauthenticated, exploiting an unsafe deserialization process within React Server Components. The primary impact is remote code execution on the Node.js server. Key indicators for detecting exploitation attempts include specific HTTP headers and patterns such as ‘next-action‘, ‘rsc-action-id‘, and the presence of character sequences including '$''@‘ and the JSON response fragment "status":"resolved_model".
Understanding the React2Shell Infection Flow
The typical attack chain for React2Shell begins with a specially crafted HTTP POST request directed at a React Server Components endpoint. The request body contains a forged “action” payload designed to exploit an unsafe deserialization mechanism. This process allows attackers to inject JavaScript code that is then executed on the server.
For instance, a simplified malicious request might appear as follows:
POST /_rsc HTTP/1.1
Host: victim[.]example
Content-Type: application/json
{"next-action":"'$@'malicious_payload","status":"resolved_model"}
Upon successful exploitation, the compromised server may initiate shell commands, create files within temporary directories like /tmp, or establish new outbound network connections from the Node.js process. While many publicly available exploits may be incomplete or non-functional, attackers are often seen deploying them at a massive scale. This broad-spectrum scanning can generate significant log noise, potentially masking more targeted and successful exploitation chains.
Incident responders are advised to actively hunt for the aforementioned HTTP headers and patterns within their application logs. Additionally, monitoring for unusual child processes originating from Node.js instances can serve as a critical indicator of compromise, enabling faster detection and response to potential React2Shell attacks.
Moving forward, organizations utilizing React and Next.js applications with Server Components should prioritize immediate patching and implement robust security monitoring. The ongoing activities of threat groups like Earth Lamia and Jackpot Panda suggest that exploitation attempts are likely to continue and potentially evolve as defenders adapt. A comprehensive understanding of the attack vectors and indicators of compromise will be crucial for mitigating the risks associated with CVE-2025-55182.