Two hacking groups linked to China have started exploiting a major security flaw in React Server Components (RSC) only hours after the vulnerability became public.
The flaw, tracked as CVE-2025-55182 and widely called React2Shell, allows attackers to gain unauthenticated remote code execution, potentially giving them full control over vulnerable servers.
The security bug has a maximum CVSS score of 10.0, which represents the highest level of severity. It has been fixed in React versions 19.0.1, 19.1.2 and 19.2.1, and developers are being urged to update immediately.
According to a report shared by Amazon Web Services, two China-nexus groups named Earth Lamia and Jackpot Panda were seen attempting to exploit the flaw through AWS honeypot systems.
AWS said the activity was coming from infrastructure previously tied to state-linked cyber actors.
Earth Lamia has previously targeted organizations across financial services, logistics, retail, IT, universities and government sectors across Latin America, the Middle East and Southeast Asia.
Jackpot Panda has mainly focused on sectors connected to online gambling in East and Southeast Asia and has used supply chain attacks to gain access. The group was tied to the 2022 compromise of the Comm100 chat application and has used trojanized installers to spread malware.
AWS also noted that attackers have been exploiting the React vulnerability alongside older bugs, including flaws in NUUO camera systems. Early attacks have attempted to run discovery commands, create files and read sensitive information from servers.
Security researchers say the trend shows how fast attackers now operate: they monitor new vulnerability announcements and add exploits to their scanning tools immediately to increase their chances of finding unpatched systems.
A brief global outage at Cloudflare this week added to industry concern. Cloudflare confirmed that a change to its Web Application Firewall, introduced to help protect customers from the newly disclosed React flaw, caused disruption that led many websites to return “500 Internal Server Error” messages.
The company stressed that the outage was not the result of a cyberattack.
The scale of the React vulnerability is a major concern because millions of websites rely on React and Next.js, including large brands such as Airbnb and Netflix.
Security researchers estimate that about 39 percent of cloud environments contain vulnerable React components. A working proof-of-concept exploit is already available on GitHub, raising fears of mass exploitation.
Experts warn that even projects that do not intentionally use server-side functions may still be exposed because the affected components can remain enabled by default.
Cybersecurity firms and cloud providers are urging organizations to take action immediately:
- Apply official patches for React, Next.js and related RSC frameworks.
- Enable updated Web Application Firewall rules from providers including AWS, Cloudflare, Google Cloud, Akamai and Vercel.
- Review logs for signs of compromise, including suspicious file creation, attempts to read sensitive data or reconnaissance behavior.
Although widespread exploitation has not yet been confirmed publicly, experts warn that attackers are already scanning the internet at scale.