US EditionAWS: Beijing-Linked Hackers Hammering Max-Severity React Bug
China-linked groups Earth Lamia and Jackpot Panda exploit React2Shell vulnerability to execute remote JavaScript on thousands of servers, with 39% of cloud environments vulnerable, researchers say.
- On December 3, 2025, Amazon Web Services reported China-linked Earth Lamia and Jackpot Panda exploited React2Shell, an insecure deserialization flaw in the React Server Components 'Flight' protocol allowing unauthenticated remote JavaScript execution.
- Proof-of-Concept exploits appeared rapidly, including fake variants, and React and Next.js maintainers issued updates though thousands of dependent projects remain exploitable by default.
- AWS observed repeated payload attempts and Linux commands , while attacking clusters shared anonymization infrastructure, complicating tracking amid iterative manual testing.
- Wiz researchers found 39% of cloud environments vulnerable to React2Shell attacks, targeting financial services, logistics, retail, IT companies, universities, government sectors in Latin America, the Middle East, Southeast Asia; Assetnote released a scanner on GitHub.
- Earth Lamia focuses on exploiting web application vulnerabilities while Jackpot Panda targets East and Southeast Asia to collect intelligence, and CVE-2025-66478 was rejected as a duplicate of CVE-2025-55182 despite exploits confirmed by Rapid7 researcher Stephen Fewer and Elastic Security's Joe Desimone.
15 Articles
15 Articles
Chinese hackers exploiting React2Shell bug impacting countless websites, Amazon researchers say
The bug, tagged as CVE-2025-55182 and referred to colloquially as React2Shell, was reported to Meta by researcher Lachlan Davidson on November 29 and publicly disclosed on Wednesday, when a fix was rolled out.
Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability
Two hacking groups with ties to China have been observed weaponizing the newly disclosed security flaw in React Server Components (RSC) within hours of it becoming public knowledge. The vulnerability in question is CVE-2025-55182 (CVSS score: 10.0), aka React2Shell, which allows unauthenticated remote code execution. It has been addressed in React versions 19.0.1, 19.1.2, and 19.2.1. According
React4Shell (React2Shell) Is being exploited at scale: Critical Unauthenticated RCE in React RSC Flight (CVE-2025-55182) and Next.js (CVE-2025-66478)
React4Shell (also tracked as React2Shell and “Freight Night”) turns React Server Components into an unauthenticated remote code execution path via the Flight protocol. Public PoCs are circulating, scanning is spiking, and large-scale exploitation has already been reported. Patch fast, then verify what’s actually running. The post React4Shell (React2Shell) Is being exploited at scale: Critical Unauthenticated RCE in React RSC Flight (CVE-2025-551…
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
