Full Report
State-backed attackers started poking flaw as soon as it dropped – anyone still unpatched is on borrowed time Amazon has warned that China-nexus hacking crews began hammering the critical React "React2Shell" vulnerability within hours of disclosure, turning a theoretical CVSS-10 hole into a live-fire incident almost immediately.…
Analysis Summary
# Vulnerability: React2Shell Unsafe Deserialization (Critical RCE)
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: Unsafe Deserialization
## Affected Systems
- Products: React Server Components, Next.js (and dependent frameworks utilizing affected packages)
- Versions: Specific vulnerable versions prior to patched releases sent by React. (Exact version numbers not specified, but implied for server-side packages.)
- Configurations: Any environment running vulnerable server-side React package implementations.
## Vulnerability Description
The vulnerability resides in React's server-side packages and is characterized by unsafe deserialization. This critical flaw allows an unauthenticated attacker to send a specially crafted HTTP request, leading directly to Remote Code Execution (RCE).
## Exploitation
- Status: Exploited in the wild (Observed being hammered by state-backed attackers within hours of disclosure).
- Complexity: Low (Public Proof-of-Concept exploits were quickly leveraged by threat actors).
- Attack Vector: Network (Achieved via specially crafted HTTP requests).
## Impact
- Confidentiality: High (RCE capabilities often lead to complete compromise)
- Integrity: High (RCE capabilities often lead to complete compromise)
- Availability: High (RCE capabilities can lead to system outages or control loss)
## Remediation
### Patches
- React shipped patched releases covering all affected server-side packages immediately upon vulnerability disclosure. Customers are urged to update immediately.
### Workarounds
- AWS advises that deployed mitigations in managed services **are not substitutes for patching**. Customers on EC2, containers, or self-managed infrastructure must update immediately.
## Detection
- Indicators of Compromise: Scanning and exploit traffic consisting of specially crafted HTTP requests targeting the vulnerable React components.
- Detection methods and tools: Amazon utilized its MadPot honeypot network to log exploitation attempts from known China state-nexus threat groups (e.g., Earth Lamia and Jackpot Panda).
## References
- Vendor Advisories: [aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182](https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182) (Note: URL defanged for safety)
- Other Analysis: [wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182](https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182) (Note: URL defanged for safety)