**AWS Warns of China-Linked Threat Actors Exploiting React2Shell Vulnerability Hours After Disclosure**

AWS Security has issued a warning that multiple China-linked threat actors have begun exploiting the CVE-2025-55182, also known as the React2Shell flaw, within hours after its disclosure. The vulnerability affects React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including packages such as react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.

According to AWS Security, the threat actors are using automated scanners and PoC exploits to target the vulnerability, which allows for pre-authentication remote code execution. The researchers confirmed that this vulnerability does not affect AWS services, but they chose to share threat intelligence data to help customers running React or Next.js applications in their own environments take immediate action.

The vulnerability is caused by the code deserializing data from HTTP requests to Server Function endpoints without proper safety checks. Lachlan Davidson reported the security vulnerability in React on November 29th, explaining that unsafe payload decoding in Server Function endpoints allows unauthenticated code execution. Apps using React Server Components may be exposed even without Server Function endpoints.

Versions 19.0.1, 19.1.2, and 19.2.1 have addressed the flaw. AWS Security observed exploitation attempts in AWS MadPot coming from infrastructure tied to China-linked groups Earth Lamia and Jackpot Panda. These groups typically exploit web app flaws to target organizations across LATAM, the Middle East, and Southeast Asia.

Earth Lamia and Jackpot Panda operate through large shared anonymization networks widely used in Chinese cyber operations, which mask attacker identity and make precise attribution difficult. "Our analysis of exploitation attempts in AWS MadPot honeypot infrastructure has identified exploitation activity from IP addresses and infrastructure historically linked to known China state-nexus threat actors," reads the report published by AWS Security.

"Large-scale anonymization networks have become a defining characteristic of Chinese cyber operations, enabling reconnaissance, exploitation, and command-and-control activities while obscuring attribution. These networks are used by multiple threat groups simultaneously, making it difficult to attribute specific activities to individual actors."

Most unattributed activity uses China-linked ASNs, indicating the region as the main source. Groups rapidly weaponize public PoCs as soon as they appear online. Threat actors use automated scanners and PoC exploits to target CVE-2025-55182 and other N-days like CVE-2025-1338, rapidly integrating public exploits and running broad multi-CVE campaigns.

Many public PoCs are flawed, yet still used, reflecting a focus on speed, volume, and low entry barriers. Failed attempts create significant log noise, potentially masking more sophisticated attacks. "Analysis of data from MadPot reveals the persistent nature of these exploitation attempts," concludes the report. "In one notable example, an unattributed threat cluster associated with IP address 183[.]6.80.214 spent nearly an hour (from 2:30:17 AM to 3:22:48 AM UTC on December 4, 2025) systematically troubleshooting exploitation attempts."

This behavior demonstrates that threat actors aren't just running automated scans, but are actively debugging and refining their exploitation techniques against live targets.