The cycle of vulnerability disclosure and weaponization has shattered records once again. According to a new threat intel from Amazon Web Services (AWS), state-sponsored hacking groups linked to China began actively exploiting a critical vulnerability nicknamed “React2Shell,” in popular web development frameworks mere hours after its public release.
The React2Shell vulnerability, tracked as CVE-2025-55182, affects React Server Components in React 19.x and Next.js versions 15.x and 16.x when using the App Router. The flaw carries the maximum severity score of 10.0 on the CVSS scale, enabling unauthenticated remote code execution (RCE).
The Rapid Weaponization Race
The vulnerability was publicly disclosed on Wednesday, December 3. AWS threat intelligence teams, monitoring their MadPot honeypot infrastructure, detected exploitation attempts almost immediately.
The threat actors identified in the flurry of activity are linked to known China state-nexus cyber espionage groups, including:
-
Earth Lamia: Known for targeting financial services, logistics, and government organizations across Latin America, the Middle East, and Southeast Asia.
-
Jackpot Panda: A group typically focused on East and Southeast Asian entities, often aligned with domestic security interests.
“China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalizing public exploits within hours or days of disclosure,” stated an AWS Security Blog post announcing the findings.
The speed of operation showcased how the window between public disclosure and active attack is now measured in minutes, not days.
Also read: China-linked RedNovember Campaign Shows Importance of Patching Edge Devices
Hacker’s New Strategy of Speed Over Precision
The AWS analysis also revealed a crucial insight into modern state-nexus tactics that threat groups are prioritizing volume and speed over technical accuracy.
Investigators observed that many attackers were attempting to use readily available, but often flawed, public Proof-of-Concept (PoC) exploits pulled from the GitHub security community. These PoCs frequently demonstrated fundamental technical misunderstandings of the flaw.
Despite the technical inadequacy, threat actors are aggressively throwing these PoCs at thousands of targets in a “volume-based approach,” hoping to catch the small percentage of vulnerable configurations. This generates significant noise in logs but successfully maximizes their chances of finding an exploitable weak link.
Furthermore, attackers were not limiting their focus, simultaneously attempting to exploit other recent vulnerabilities, demonstrating a systematic, multi-pronged campaign to compromise targets as quickly as possible.
Call for Patching
While AWS has deployed automated protections for its managed services and customers using AWS WAF, the company is issuing an urgent warning to any entity running React or Next.js applications in their own environments (such as Amazon EC2 or containers).
The primary mitigation remains immediate patching.
“These protections aren’t substitutes for patching,” AWS warned. Developers must consult the official React and Next.js security advisories and update vulnerable applications immediately to prevent state-sponsored groups from gaining RCE access to their environments.
CVE-2025-55182 enables an attacker to achieve unauthenticated Remote Code Execution (RCE) in vulnerable versions of the following packages:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
AWS’ findings states a cautious tale that a vulnerability with a CVSS 10.0 rating in today’s times becomes a national security emergency the moment it hits the public domain.
