React2Shell Hits with Perfect Storm Severity
CVE-2025-55182 struck on December 3 2025. It targets React Server Components in versions 19.0.0 19.1.0 19.1.1 and 19.2.0. The flaw lives in three packages: react-server-dom-webpack react-server-dom-parcel and react-server-dom-turbopack.
Unsafe deserialization lets unauthenticated attackers send crafted HTTP requests. Those requests trigger remote code execution on your server. No login needed. No privileges required. The CVSS score lands at 10.0. That means total catastrophe potential.
Researchers call it React2Shell. The name nods to Log4Shell the 2021 Log4j disaster that let attackers burrow into millions of systems. React powers your frontend. Billions of sites rely on it. One bad deserialization and attackers own the backend.
China-Nexus Hackers Strike First
Amazon CISO CJ Moses dropped the alert on December 4 2025. His teams spotted exploitation attempts hours after disclosure. Culprits: China state-nexus groups Earth Lamia and Jackpot Panda.
Earth Lamia hits financials logistics and governments in Latin America the Middle East and Southeast Asia. Jackpot Panda focuses on East and Southeast Asia. Both use shared Chinese anonymization nets. Attribution stays fuzzy but ASNs scream Chinese infrastructure.
Attackers blast automated scanners and public PoC exploits. Many PoCs flop but volume overwhelms. They pair React2Shell with other N-day hits like CVE-2025-1338 in NUUO cameras. Broad scans maximize weak spots. Your unpatched React server becomes low-hanging fruit.
Next.js Feels the Ripple
CVE-2025-66478 tracks the fallout in Next.js. It covers versions 15.0.4 15.1.8 15.2.5 15.3.5 15.4.7 15.5.6 and 16.0.6 with App Router enabled. The root cause mirrors React2Shell: insecure Flight protocol deserialization.
Next.js maintainers at Vercel pushed patches December 3 2025. Upgrade to 15.0.5 15.1.9 15.2.6 15.3.6 15.4.8 15.5.7 or 16.0.7. Wiz scans show 39 percent of cloud setups run vulnerable React or Next.js. 69 percent of those have Next.js. Your stack likely qualifies.
Vercel locked down hosted projects with WAF rules. Self-hosted setups get no such free ride. You patch or you pray.
Exploitation Wave Builds Fast
Cloudflare crashed briefly on December 5 2025. Their React2Shell WAF rollout overloaded the grid. Rapid7 confirmed a working PoC from researcher Lachlan Davidson the discoverer. More PoCs flood GitHub and exploit forums.
Broad attacks loom. Chinese groups industrialized this like Log4Shell. They scan the net dump payloads and pivot to credential theft or crypto mining. Wiz spotted post-exploit pivots to cloud creds. Your server turns into their launchpad.
React fixed it in 19.0.1 19.1.2 and 19.2.1. Released December 3 2025. Run npm update or yarn upgrade. Audit dependencies. Block Flight payloads at your edge if you lag.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What versions of React face React2Shell
Versions 19.0.0 19.1.0 19.1.1 and 19.2.0 in react-server-dom-webpack react-server-dom-parcel and react-server-dom-turbopack
How do Chinese groups exploit it
They send crafted HTTP requests to Server Function endpoints. Unsafe deserialization executes code without authentication
Is Next.js affected
Yes. Versions 15.0.4 through 15.5.6 and 16.0.6 with App Router inherit the flaw via CVE-2025-66478
When did exploitation start
Amazon detected attempts from China-nexus actors like Earth Lamia and Jackpot Panda within hours of December 3 2025 disclosure
How do you patch it
Upgrade React to 19.0.1 19.1.2 or 19.2.1 and Next.js to 15.0.5 15.1.9 15.2.6 15.3.6 15.4.8 15.5.7 or 16.0.7