CVE-2025-55182: Immediate Operationalization of React2Shell by China-Nexus Threat Actors

Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, security researchers observed active exploitation attempts from several China-nexus cyber threat groups, including Earth Lamia and Jackpot Panda. This critical unauthenticated remote code execution vulnerability affects React Server Components in React 19.x and Next.js 15.x and 16.x when the App Router is enabled. While managed cloud services are not impacted, this information is being shared to help organizations running React or Next.js in their own environments take immediate action. The rapid surge in exploitation attempts reflects a consistent pattern in which China-linked threat actors quickly weaponize newly disclosed public vulnerabilities.

Earth Lamia is a China-nexus threat actor heavily involved in exploiting web application vulnerabilities. Historical targeting includes:

• Financial services
• Logistics
• Retail
• IT organizations
• Universities
• Government sectors

The group is known for broad regional targeting across Latin America, the Middle East, and Southeast Asia.

Jackpot Panda primarily targets entities across East and Southeast Asia, aligned with domestic security and corruption-related intelligence priorities. The group often leverages newly disclosed internet-facing vulnerabilities in its campaigns.

• CVE-ID: CVE-2025-55182
• CVSS Score: 10.0 (Critical) 
• EPSS Score: 27.19%
• Vulnerability: Remote Code Execution (RCE) vulnerability 
• Affected Product: React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and Next.js versions 15.x, 16.x, 14.3.0-canary.77 and later canary releases when using App Router.

Within hours of disclosure, threat actors:

• Integrated public PoCs into scanning infrastructure
• Launched broad, automated exploitation campaigns
• Used multiple PoCs (including non-functional ones) to maximize hit rates

Threat groups used:

• Automated scanners with user-agent randomization
• Individual PoC payloads
• Concurrent exploitation of other N-days (e.g., CVE-2025-1338)

Many public PoCs:

• Register dangerous modules like fs, child_process, or vm in the RSC manifest (not used in real apps)
• Would remain vulnerable even after patching
• Misunderstand RSC internals

Still, attackers rely on them because of:

• Speed over accuracy
• Volume over reliability
• Low barrier to entry
• Noise generation to obscure real attempts

Notable example from the AWS MadPot honeypot:

• IP 183[.]6.80.214 conducted 116 requests over 52 minutes
• Systematically tested payloads
• Attempted:
  
• Reconnaissance commands (whoami, id)
• Reading /etc/passwd
• Writing /tmp/pwned.txt
• Demonstrated live troubleshooting and adjustment of payloads

If exploited, React2Shell allows attackers to:

• Execute arbitrary commands remotely
• Read sensitive files (/etc/passwd)
• Write arbitrary files (e.g., /tmp/pwned.txt)
• Gain full control over vulnerable applications
• Pivot further into the hosting environment

Public Disclosure of CVE-2025-55182 -> China-Nexus Groups Rapidly Integrate Public PoCs (Earth Lamia, Jackpot Panda, Shared Anonymization Infrastructure, Unattributed Clusters) -> Automated Scanning and Early Exploitation Attempts (User-agent randomization, repeated payload testing) -> Manual Debugging and Refinement of Exploit Attempts (Long-duration testing, whoami/id execution, file write attempts, reading /etc/passwd) -> Integration into Broader Multi-CVE Campaigns (Simultaneous attempts against other N-days such as CVE-2025-1338) -> Potential Target Compromise if Application Remains Unpatched(Remote code execution, unauthorized actions, persistence attempts)

• HTTP POST requests to application endpoints with next-action or rsc-action-id headers
• Request bodies containing $@ patterns
• Request bodies containing "status":"resolved_model" patterns

• Unexpected execution of reconnaissance commands (whoami, id, uname)
• Attempts to read /etc/passwd
• Suspicious file writes to /tmp/ directory (for example, pwned.txt)
• New processes spawned by Node.js/React application processes

• Systems running React 19.x with Server Functions and React Server Components should be updated to the patched versions 19.0.1, 19.1.2, or 19.2.1.
• Systems running Next.js 15 or 16 with the App Router should be updated to a patched version.
• Review application and web server logs for suspicious activity.
• Look for POST requests with next-action or rsc-action-id headers.
• Check for unexpected process execution or file modifications on application servers.

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.