React2Shell Vulnerability Exploitation Surges, Affecting U.S. Systems
A critical vulnerability in the React library, known as React2Shell (CVE-2025-55182), is being actively exploited by threat actors. This vulnerability allows for unauthenticated remote code execution through specially crafted HTTP requests. It specifically impacts systems using React version 19 with React Server Components (RSC). The flaw was disclosed on December 3, following a patch release by Meta, the maintainer of React. The vulnerability affects not only React but also frameworks like Next.js, Waku, React Router, and RedwoodSDK. Despite its niche setup, the vulnerability has been exploited by at least two China-linked threat actors, Earth Lamia and Jackpot Panda, since its disclosure. The Shadowserver Foundation reported over 77,000 IPs hosting vulnerable React instances, with significant numbers in the U.S., China, Germany, and India. Security firms have observed various malicious activities, including scanning for vulnerable instances, theft of AWS credentials, and deployment of malware. 
