Researchers warn that critical vulnerabilities in Meta’s React Server Components and Next.js are under threat from botnets and state-linked adversaries.
China-nexus threat groups, tracked as Earth Lamia and Jackpot Panda, attempted to exploit a vulnerability tracked as CVE-2025-55182 in React, within a few hours of the flaw being disclosed on Wednesday, according to a blog post released Thursday by CJ Moses, chief information security officer at Amazon.
The vulnerability, dubbed React2Shell, enables an unauthenticated attacker to achieve remote code execution due to unsafe deserialization of payloads sent to React Server Function endpoints.
Researchers at GreyNoise are reporting opportunistic, mostly automated attempts to exploit React2Shell, according to a blog post published Friday. They are beginning to see a slow migration of the flaw being “added to Mirai and other botnet exploitation kits,” according to GreyNoise.
The Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog on Friday.
Researchers at Palo Alto Networks said nearly 970,000 servers run modern frameworks like React and Next.js, and the risk is widespread.
“This newly discovered flaw is a critical threat because it is a master key exploit, succeeding not by crashing the system, but by abusing its trust in incoming data structures,” said Justin Moore, senior manager of threat intel research at PAN Unit 42. “The system executes the malicious payload w
Source: https://www.cybersecuritydive.com/news/state-linked-critical-vulnerability-react-server/807228/
Meta cybersecurity rating report: https://www.rankiteo.com/company/meta
"id": "MET1764979506",
"linkid": "meta",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'incident': {'affected_entities': [{'customers_affected': None,
'industry': 'Software/Technology',
'location': None,
'name': 'Meta (React Server Components)',
'size': None,
'type': 'Technology'},
{'customers_affected': None,
'industry': 'Software/Technology',
'location': None,
'name': 'Next.js',
'size': None,
'type': 'Technology'}],
'attack_vector': 'Unsafe deserialization of payloads',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'date_publicly_disclosed': '2025-01-08',
'description': 'Critical vulnerabilities in Meta’s React Server '
'Components and Next.js are under threat from '
'botnets and state-linked adversaries. The '
'vulnerability, tracked as CVE-2025-55182 '
'(React2Shell), enables unauthenticated remote '
'code execution due to unsafe deserialization of '
'payloads sent to React Server Function '
'endpoints.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'Potential unauthorized remote '
'code execution on affected '
'servers',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'React Server Components, Next.js '
'frameworks'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'motivation': 'Exploitation for remote code execution, potential '
'data exfiltration, and botnet integration',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': 'Unsafe '
'deserialization of '
'payloads in React '
'Server Function '
'endpoints'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': '2025-01-09',
'source': 'Amazon CISO Blog Post (CJ Moses)',
'url': None},
{'date_accessed': '2025-01-10',
'source': 'GreyNoise Blog Post',
'url': None},
{'date_accessed': None,
'source': 'Palo Alto Networks Unit 42',
'url': None},
{'date_accessed': '2025-01-10',
'source': 'CISA Known Exploited Vulnerabilities '
'Catalog',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': 'CISA '
'Known '
'Exploited '
'Vulnerabilities '
'catalog'},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': None,
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'threat_actor': ['Earth Lamia',
'Jackpot Panda',
'Mirai botnet',
'China-nexus threat groups'],
'title': 'React2Shell Vulnerability Exploitation',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-55182 (React2Shell)'}}