By ByteBot
Within hours of its December 3, 2025 disclosure, China state-sponsored hackers were already exploiting it. React2Shell (CVE-2025-55182)—a critical 10.0 CVSS vulnerability in React Server Components—has left 90,300 Next.js applications exposed to unauthenticated remote code execution. The worst part? Your default Next.js app is vulnerable out-of-the-box, and sophisticated threat actors like Earth Lamia and Jackpot Panda wasted no time weaponizing it.
A Maximum-Severity Flaw in the React Ecosystem
React2Shell targets React 19.x and Next.js 15.x/16.x applications using the App Router. The root cause is unsafe deserialization in the React Server Components (RSC) protocol—specifically, the React Flight Protocol that handles server-client communication. When attackers send a crafted POST request, the backend deserializes malicious payloads that chain internal gadgets to access the Function constructor, resulting in arbitrary code execution under Node.js.
This isn’t a theoretical edge case. A standard Next.js app created with create-next-app and built for production is exploitable with zero code changes by developers. As of December 31, 2025, 90,300 instances remain vulnerable worldwide, with 68,400 in the United States alone. Wiz Research found that 39% of cloud environments contain vulnerable instances.
State-Sponsored Actors Moved in Hours, Not Days
Responsibly disclosed to Meta on November 29, 2025, React2Shell became public on December 3. By December 5—just two days later—AWS threat intelligence teams observed active exploitation by multiple China-nexus groups, including Earth Lamia and Jackpot Panda.
Earth Lamia has a history of targeting financial services, logistics, retail, and government organizations across Latin America, the Middle East, and Southeast Asia. Jackpot Panda, active since at least 2020, focuses on East and Southeast Asia with documented supply chain compromises. Both groups leveraged a mix of public exploits, manual testing, and real-time troubleshooting—backed by large-scale anonymization networks to obscure attribution.
The primary payloads? Cryptocurrency miners. Attackers deployed UPX-packed XMRig variants, established persistence via /etc/crontab, and eliminated competing miners to dominate compromised hosts.
RondoDox Botnet Escalates a 9-Month Campaign
React2Shell also became a new weapon for the RondoDox botnet, which has been running a persistent campaign since March 2025 targeting IoT devices and web applications. In late December, RondoDox launched over 40 React2Shell exploit attempts in just six days.
RondoDox’s sophistication is striking. It terminates competing coin miners, removes artifacts from previous attacks, scrubs Docker-based payloads left by other threat actors, and masquerades as legitimate system processes like systemd-devd to blend into container environments. This isn’t opportunistic—it’s strategic.
No Workarounds, Only Patches
There are no workarounds for React2Shell. Upgrading to patched versions is mandatory. Next.js released fixes across multiple release lines:
- 15.0.0 – 15.0.4 → 15.0.5
- 15.1.0 – 15.1.8 → 15.1.9
- 15.2.0 – 15.2.5 → 15.2.6
- 15.3.0 – 15.3.5 → 15.3.6
- 15.4.0 – 15.4.7 → 15.4.8
- 15.5.0 – 15.5.6 → 15.5.7
- 16.0.0 – 16.0.6 → 16.0.7
An automated fix tool is available: npx fix-react2shell-next. After patching and redeployment, rotate all application secrets. Good news for legacy users: Next.js 13.x and 14.x stable releases are not affected, nor are applications using the Pages Router or Edge Runtime.
The Broader Security Reckoning
React2Shell exposes uncomfortable truths about modern development. Default trust models in React Server Components assumed safety where none existed. Framework defaults prioritized developer convenience over security. And when vulnerabilities emerge in cutting-edge tech like RSC, the supply chain impact is immediate and global.
Developers shouldn’t shoulder this alone. Frameworks must adopt secure-by-default configurations. Security audits should be part of every release cycle. And education around new technologies—especially server-client trust boundaries—needs to be proactive, not reactive.
If you’re running Next.js with the App Router, patch now. State-sponsored actors don’t wait for you to read the advisory. They’re already inside.
