Last updated on 9 December.
A critical vulnerability in React Server Components is allegedly being actively exploited by multiple Chinese threat actors, Recorded Future recommends organizations patch their systems immediately.
What’s Happening
CVE-2025-55182, dubbed “React2Shell,” affects React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0 in several Meta packages. Amazon’s AWS Threat Intelligence team reported on December 4 that Chinese threat groups including Earth Lamia, Jackpot Panda, and several untracked clusters are actively exploiting this vulnerability. However, AWS has not provided any further evidence for these attributions beyond IP addresses allegedly used by these threat groups. At this stage, Insikt Group cannot exclude the possibility that the same threat group might still be using the IP address 206[.]237[.]3[.]150, but we are currently unable to verify AWS’s attribution to Earth Lamia.
The vulnerability stems from unsafe payload deserialization at React Server Function endpoints. When successfully exploited, attackers can execute arbitrary code through crafted HTTP requests, potentially leading to complete backend compromise.
