Researchers warn that critical vulnerabilities in Meta’s React Server Components and Next.js are under threat from botnets and state-linked adversaries.
China-nexus threat groups, tracked as Earth Lamia and Jackpot Panda, attempted to exploit a vulnerability tracked as CVE-2025-55182 in React, within a few hours of the flaw being disclosed on Wednesday, according to a blog post released Thursday by CJ Moses, chief information security officer at Amazon.
The vulnerability, dubbed React2Shell, enables an unauthenticated attacker to achieve remote code execution due to unsafe deserialization of payloads sent to React Server Function endpoints.
Researchers at GreyNoise are reporting opportunistic, mostly automated attempts to exploit React2Shell, according to a blog post published Friday. They are beginning to see a slow migration of the flaw being “added to Mirai and other botnet exploitation kits,” according to GreyNoise.
The Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog on Friday.
Researchers at Palo Alto Networks said nearly 970,000 servers run modern frameworks like React and Next.js, and the risk is widespread.
“This newly discovered flaw is a critical threat because it is a master key exploit, succeeding not by crashing the system, but by abusing its trust in incoming data structures,” said Justin Moore, senior manager of threat intel research at PAN Unit 42. “The system executes the malicious payload with the same reliability as legitimate code because it operates exactly as intended, but on malicious input.”
Security researcher Lachlan Davidson disclosed the vulnerability to React on Nov. 29 through the Meta Bug Bounty program. React issued a patch for the flaw on Wednesday and urged users to apply immediate upgrades.