• Home
  • cyber
  • Amazon: China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
cyber Vulnerability

Amazon: China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)

Dec 4, 2025 2 min read
Amazon: China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)

Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. This critical vulnerability in React Server Components has a maximum Common Vulnerability Scoring System (CVSS) score of 10.0 and affects React versions 19.x and Next.js versions 15.x and 16.x when using App Router. While this vulnerability doesn’t affect AWS services, we are sharing this threat intelligence to help customers running React or Next.js applications in their own environments take immediate action.

China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalizing public exploits within hours or days of disclosure. Through monitoring in our AWS MadPot honeypot infrastructure, Amazon threat intelligence teams have identified both known groups and previously untracked threat clusters attempting to exploit CVE-2025-55182. AWS has deployed multiple layers of automated protection through Sonaris active defense, AWS WAF managed rules (AWSManagedRulesKnownBadInputsRuleSet version 1.24 or higher), and perimeter security controls. However, these protections aren’t substitutes for patching. Customers using managed AWS services aren’t affected, and no action is required. Customers running React or Next.js in their own environments (Amazon Elastic Compute Cloud (A

Source: https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

Amazon TPRM report: https://www.rankiteo.com/company/amazon

"id": "ama1765177783",
"linkid": "amazon",
"type": "Vulnerability",
"date": "12/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'type': 'Customer environments'}],
 'attack_vector': 'Remote Code Execution (RCE)',
 'customer_advisories': 'Customers using managed AWS services are not '
                        'affected. Customers running React/Next.js in their '
                        'own environments must patch immediately.',
 'date_detected': '2025-12-03',
 'date_publicly_disclosed': '2025-12-03',
 'description': 'Amazon threat intelligence teams observed active exploitation '
                'attempts by multiple China state-nexus threat groups, '
                'including Earth Lamia and Jackpot Panda, within hours of the '
                'public disclosure of CVE-2025-55182 (React2Shell). This '
                'critical vulnerability affects React versions 19.x and '
                'Next.js versions 15.x and 16.x when using App Router.',
 'impact': {'systems_affected': 'React versions 19.x and Next.js versions 15.x '
                                'and 16.x using App Router'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'China state-sponsored threat actors rapidly '
                    'operationalize public exploits (within hours/days of '
                    'disclosure). Automated protections are not substitutes '
                    'for patching.',
 'motivation': 'State-sponsored cyber operations',
 'post_incident_analysis': {'corrective_actions': 'Patch affected '
                                                  'React/Next.js versions, '
                                                  'implement AWS WAF managed '
                                                  'rules, and monitor for '
                                                  'exploitation attempts.',
                            'root_causes': 'Unpatched vulnerability in React '
                                           'Server Components '
                                           '(CVE-2025-55182)'},
 'recommendations': 'Customers running React or Next.js in their own '
                    'environments should immediately patch affected versions. '
                    'AWS managed services are not affected.',
 'references': [{'source': 'Amazon Threat Intelligence'}],
 'response': {'adaptive_behavioral_waf': 'Sonaris active defense',
              'communication_strategy': 'Public threat intelligence sharing',
              'containment_measures': 'AWS WAF managed rules '
                                      '(AWSManagedRulesKnownBadInputsRuleSet '
                                      'version 1.24 or higher), perimeter '
                                      'security controls',
              'enhanced_monitoring': 'AWS MadPot honeypot infrastructure',
              'remediation_measures': 'Patching required for affected '
                                      'React/Next.js versions'},
 'stakeholder_advisories': 'AWS has deployed automated protections, but '
                           'patching is required for customer-managed '
                           'environments.',
 'threat_actor': ['Earth Lamia',
                  'Jackpot Panda',
                  'Previously untracked threat clusters'],
 'title': 'Exploitation of CVE-2025-55182 (React2Shell) in React Server '
          'Components',
 'type': 'Exploitation of Zero-Day Vulnerability',
 'vulnerability_exploited': 'CVE-2025-55182 (React2Shell)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.