🌐 Network

React2Shell CVE-2025-55182: China-Nexus Groups Exploit Max-Severity Next.js Flaw Across 30+ Organisations

CVE-2025-55182 (React2Shell), a maximum-severity unauthenticated remote code execution vulnerability in React Server Components and Next.js, is being actively exploited by China-state-affiliated threat groups and financially motivated actors simultaneously. Palo Alto Networks has confirmed over 30 organisations breached and 77,000 internet-exposed vulnerable instances, with attackers systematically harvesting AWS credentials, database connection strings, and SSH keys from compromised web infrastructure.

3 min read
#react#nextjs#rce#unauthenticated#cve-2025-55182#react2shell#china-nexus#credential-theft#aws#web-application

The Vulnerability

CVE-2025-55182 β€” known as React2Shell β€” is a critical pre-authentication remote code execution vulnerability affecting React Server Components as implemented in Next.js and related frameworks. With a CVSS score of 10.0, the flaw allows attackers to execute arbitrary server-side code via a single malicious HTTP request with no authentication, no special configuration required, and no user interaction.

The vulnerability was publicly disclosed on 3 December 2025. Within hours, Google Threat Intelligence Group (GTIG) observed active exploitation across multiple threat clusters. Three months later, exploitation has intensified rather than subsided: over 77,000 internet-exposed vulnerable instances remain unpatched, and the breach count continues to grow.

Threat Actor Activity: China-Nexus and Criminal Groups

Amazon threat intelligence teams identified active exploitation by multiple China-state-nexus threat groups β€” including clusters tracked as Earth Lamia and Jackpot Panda β€” within hours of public disclosure. This is characteristic of China-affiliated groups who have demonstrated pre-positioned tooling ready to deploy against newly disclosed high-severity vulnerabilities.

The attack pattern observed by Amazon and Google researchers:

  1. Automated scanner identifies Next.js servers running vulnerable React Server Components versions
  2. Attacker sends a crafted HTTP request triggering server-side code execution
  3. Initial payload performs reconnaissance and harvests the server’s environment variables
  4. High-value targets receive secondary payloads; automated targets receive credential harvesting scripts

Palo Alto Networks confirmed more than 30 organisations across technology, financial services, and cloud infrastructure sectors have been breached via React2Shell, with attackers specifically targeting AWS configuration and credential files, database connection strings, and SSH private keys.

Why React2Shell Has a Long Tail

React Server Components power a significant fraction of modern enterprise web applications. Next.js, the primary framework implementing React Server Components, is used extensively across:

  • E-commerce platforms and retail portals
  • Financial services customer-facing applications
  • SaaS product frontends
  • Corporate portals and partner portals

Many organisations deploying Next.js applications do so via managed cloud services (Vercel, AWS Amplify, cloud-native Kubernetes deployments) where the framework version may not be immediately visible to internal security teams β€” creating inventory visibility gaps that delay patching.

The LexisNexis incident: One confirmed high-profile breach attributed to React2Shell involved LexisNexis Legal & Professional in early March 2026. Attackers exploited an unpatched React frontend application to gain access to the company’s AWS infrastructure, with subsequent data exfiltration.

Affected Versions and Patching

The vulnerability affects all Next.js versions prior to the patches released in December 2025. Vercel, the primary maintainer, released a patched version immediately following disclosure. However, many organisations manage their own Next.js deployments and may not have applied the framework update.

  1. Inventory all Next.js and React Server Component deployments across your environment β€” including applications managed by product engineering teams that may not be tracked in central IT inventories
  2. Verify the Next.js version in each deployment and confirm it is running a patched version (post-December 2025 release)
  3. Review AWS credential access logs for applications backed by React/Next.js frontends β€” look for unexpected API calls or credential usage from web server IP ranges
  4. Apply WAF rules to block React2Shell exploit patterns while patching is in progress β€” security vendors have published signatures; Cloudflare, AWS WAF, and ModSecurity rule sets are available
  5. Audit environment variables in deployed Next.js applications β€” remove any secrets that do not need to be present in the application’s runtime environment, following least-privilege principles
  6. Rotate cloud credentials for any application that was running a vulnerable version while internet-exposed, regardless of whether direct exploitation can be confirmed