Chinese hackers exploiting React2Shell bug impacting countless websites, Amazon researchers say

State-backed hackers in China are exploiting a vulnerability impacting a popular open-source tool built into thousands of widely-used digital products, according to new reports. 

The tool, React Server Components, was maintained by Meta for many years and now is embedded in 50 million websites and products built by countless major firms. 

The bug, tagged as CVE-2025-55182 and referred to colloquially as React2Shell, was reported to Meta by researcher Lachlan Davidson on November 29 and publicly disclosed on Wednesday, when a fix was rolled out. The vulnerability carries a “critical” severity score of 10 out of 10. 

On Thursday evening, Amazon Integrated Security CISO CJ Moses said his team observed that the bug was being exploited by “multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.” The bug was also added to the Cybersecurity and Infrastructure Security Agency’s catalog of exploited vulnerabilities on Friday. 

Moses went on to say the exploitation attempts came from IP addresses and infrastructure linked to known China state-nexus threat actors but noted that attribution is challenging due to “anonymization infrastructure among Chinese threat groups.”

Earth Lamia is a group known to target organizations across Latin America, the Middle East, and Southeast Asia — with a specific focus on financial services, logistics, retail, IT and government organizations. Jackpot Panda focuses on entities in East and Southeast Asia. Amazon researchers said the group’s targeting “likely aligns to collection priorities pertaining to domestic security and corruption concerns.”

Moses noted that there are also many other unattributed threat groups that share commonality with Chinese groups also exploiting CVE-2025-55182.

Amazon saw threat actors using both automated scanning tools and individual PoC exploits. Moses echoed the observations of several other cybersecurity researchers in noting that many threat actors are attempting to use PoCs that don’t work.   

Moses listed one example where an unattributed threat actor tried to exploit the bug repeatedly over the course of an hour, trying 116 times with multiple exploit payloads. 

“Despite the technical inadequacy of many public PoCs, threat actors are still attempting to use them,” he said. “This behavior demonstrates that threat actors aren’t just running automated scans, but are actively debugging and refining their exploitation techniques against live targets.”

Moses added that the speed at which the Chinese groups were able to operationalize public PoC exploits underscores a critical reality: when PoCs hit the internet, sophisticated threat actors “are quick to weaponize them.”

In addition to Amazon, cybersecurity firm Flashpoint said it saw attackers attempting to widely exploit the bug but told Recorded Future News that it was “preliminary scanning” and “not the kind that will deliver real exploitation.”

Most incident response companies warned that the vulnerability will be fully exploited in the coming days and weeks as POCs are spread widely. 

The heavy lifting

React is used to render JavaScript and content more quickly and with fewer resources required. It is deployed by an estimated 6% of all websites — with most people interacting with it when they reload a page. React effectively allows servers to re-render only the parts of a page that have changed, speeding up the time it takes to load a page and reducing the resources needed. 

Justin Moore, senior manager of threat intel research at Palo Alto Networks’ Unit 42, explained that React Server Components are used for the heavy lifting and the secret keeping of websites and dashboards. 

“You see the results of them every day. Building the main content of a product page or news article so your phone doesn't have to work hard or talking to a database to get your private billing info, so your passwords and keys never leave the secure server,” he said. 

He used the example of a news site, explaining that the React Server Component acts like a go-between who does all the heavy preparation before the content reaches the user. 

The vulnerability, according to Moore, is a critical threat because it effectively serves as a “master key exploit, succeeding not by crashing the system, but by abusing its trust in incoming data structures.”

“The system executes the malicious payload with the same reliability as legitimate code because it operates exactly as intended, but on malicious input,” he said. Sonatype researcher Garrett Calpouzos added that attackers are now scanning the internet for servers running the vulnerable components in an attempt to get in before developers have a chance to fix it. 

Once they find an exposed system, they can upload malware, steal data, take down websites or use that server to pivot into other environments, he said. 

Other experts said the bug is emblematic of a bigger problem with modern technology, where the line between front end and back end has effectively disappeared. Sectigo’s Jason Soroko said developers adopted React to make interfaces feel faster and cut server costs but essentially turned a familiar library into an engine that sits directly on the network edge.

Now, teams must hunt through complex cloud estates where React server features may be buried inside microservices, serverless functions, or vendor appliances, while attackers only need to locate one forgotten instance among the many environments shown to be vulnerable in recent scans, Soroko said. 

“The real lesson for engineering leadership is that any new magic transport that lets servers call code on behalf of users should be treated as core infrastructure and subjected to the same threat modeling discipline as a database wire protocol or RPC framework, well before it becomes the default in production,” he said.