Cloud security teams are reporting a rapid surge in exploitation attempts targeting React2Shell, a newly disclosed critical vulnerability affecting React applications. The flaw, tracked as CVE-2025-55182, has already drawn the attention of multiple China-linked threat groups, according to an alert published Thursday by Amazon Web Services (AWS).
Critical Remote Code Execution Flaw Emerges
React2Shell allows attackers to achieve unauthenticated remote code execution (RCE) through maliciously crafted HTTP requests. Researcher Lachlan Davidson reported the issue to React’s maintainer, Meta, on November 29. A security patch was released on December 3.
Because React is one of the most widely used UI frameworks in the world—powering millions of websites and downloaded millions of times weekly via NPM—security firms warn the potential impact is significant. Cloud security company Wiz estimates that nearly 40% of cloud environments contain vulnerable React installations.
Davidson has launched a public site dedicated to React2Shell, although the full technical details remain undisclosed. However, both researchers and threat actors have already begun reverse-engineering the patch to understand how the exploit works.
PoC Exploits Surface—Some Real, Many Fake
Shortly after the vulnerability became public, several proof-of-concept (PoC) exploits were shared online. Many were quickly debunked as fraudulent, though at least one functional PoC has surfaced.
This burst of activity has triggered a wave of scanning across the internet and an increase in attacks attempting to leverage the bug—both using real PoCs and fake ones.
AWS: China-Linked Hackers Moving Fast
AWS said its intelligence teams detected exploitation attempts within hours of the vulnerability’s disclosure, noting that the activity appears tied to China-associated operators.
Due to shared infrastructure and overlapping tooling, attribution remains difficult. However, AWS believes the groups Earth Lamia and Jackpot Panda are likely behind many of the early probes.
- Earth Lamia has been active since at least 2023, targeting sectors across Latin America, the Middle East, and Southeast Asia, often exploiting newly disclosed vulnerabilities.
- Jackpot Panda, active since 2020, is known for espionage operations in Asia.
According to AWS, attackers are combining automated scanning tools with manual PoC testing, indicating a hybrid approach designed to rapidly identify and compromise vulnerable servers.
Exploitation Attempts Are Still Evolving
Security experts say the race to weaponize React2Shell has led some attackers to rely on fake exploits, which fail in real-world conditions. AWS confirmed that several malicious actors have attempted to use these bogus PoCs—evidence of how quickly adversaries are trying to act.
But the cloud provider emphasized that more capable threat groups are actively refining their methods.
“This behavior shows attackers are not simply scanning—they are debugging and improving their exploit attempts against live systems,” AWS reported.
Scope of Vulnerability Narrower Than Initial Fears
Security researcher Kevin Beaumont noted that React2Shell only affects React 19, and specifically implementations using a relatively new server-side feature, which narrows the overall attack surface. Nonetheless, major vulnerability scanning platforms and offensive tools are already incorporating CVE-2025-55182, likely accelerating the pace of attempted exploitation.
Defensive Guidance and Detection Tools Released
To help organizations respond, AWS has released indicators of compromise (IoCs) linked to React2Shell exploitation. Threat intelligence firm Searchlight Cyber has also published what it describes as a high-fidelity detection method for identifying vulnerable systems and attempted attacks.
With functional exploits now publicly available and threat actors racing to operationalize them, security teams are urged to apply Meta’s patches immediately and review exposed infrastructure for suspicious activity.
