Introduction
On December 3, 2025, a significant unauthenticated remote code execution (RCE) vulnerability concerning React Server Components was publicly disclosed. Identified as CVE-2025-55182, commonly referred to as "React2Shell," this flaw has been rapidly exploited by a wide range of cyber adversaries, from opportunistic criminals to sophisticated espionage groups. Soon after its release, the Google Threat Intelligence Group (GTIG) began documenting widespread exploitation across various threat clusters, highlighting the urgency of this issue.
CVE-2025-55182 Overview
The CVE-2025-55182 vulnerability carries a shocking CVSS v3.x score of 10.0, indicating it poses an extreme risk to affected systems. This vulnerability allows unauthenticated attackers to submit a single HTTP request that can execute arbitrary code with the privileges of the affected server’s user. GTIG is particularly alarmed by this vulnerability since it affects widely used frameworks like Next.js, which leverage React Server Components. Given that numerous organizations may still be using unpatched versions, the risk remains substantial.
Two factors significantly enhance exploitation opportunities: the diversity of valid payload types and the fact that vulnerable packages can often be exploited simply through their presence on a system. Specifically, versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of React Server Components contain this vulnerability.
The Disinformation Challenge
In the days following the vulnerability’s disclosure, the internet saw a surge in both legitimate and fraudulent exploit claims. Some repositories, like the one initiated by GitHub user ejpir, initially presented non-functional exploits but later rectified their claims as AI-generated and inaccurate. While confusion ensued, the amount of actionable exploit code has increased, leading to the emergence of functionalities like in-memory Next.js web shell deployments. Researchers are urged to verify exploit code rigorously before considering its capabilities legitimate.
Furthermore, while a separate CVE for Next.js (CVE-2025-66478) was initially issued, it has since been marked as a duplicate of CVE-2025-55182.
Observed Exploitation Activity
Since the beginning of exploitation activities on December 3, GTIG has cataloged a variety of payloads and post-compromise behaviors across numerous industries and regions. The focus here will be primarily on activities linked to China-nexus espionage and financially motivated groups. Notably, there have also been observations of Iran-nexus actors exploiting this vulnerability.
China-Nexus Activity
By December 12, GTIG identified several China-linked threat clusters utilizing CVE-2025-55182 to infiltrate networks on a global scale. For instance, Amazon Web Services (AWS) has reported that China-nexus groups like Earth Lamia and Jackpot Panda are exploiting this vulnerability. GTIG tracks the Earth Lamia group under the identifier UNC5454, but public indicators regarding Jackpot Panda are currently unavailable.
MINOCAT
One of the observed methods by the China-nexus espionage cluster UNC6600 involved deploying the MINOCAT tunneler via exploiting CVE-2025-55182. The process begins with fetching and executing a bash script that sets up a hidden directory ($HOME/.systemd-utils), terminates processes named ntpclient, downloads the MINOCAT binary, and ensures persistence through cron jobs and systemd services. MINOCAT functions as a 64-bit ELF executable for Linux, incorporating a custom "NSS" wrapper and an embedded Fast Reverse Proxy (FRP) client for tunneling.
SNOWLIGHT
Separate incidents have showcased another China-linked actor, UNC6586, who leveraged the vulnerability to execute commands utilizing cURL or wget. This action enabled the retrieval of a script that subsequently downloaded and executed a SNOWLIGHT downloader payload. This downloader is part of VSHELL, a widely available, multi-platform backdoor written in Go, adopted by various threat actors for diverse objectives. Observations indicated that SNOWLIGHT made HTTP GET requests to Command-and-Control (C2) infrastructures, such as reactcdn.windowserrorapis[.]com, to fetch additional payloads disguised as legitimate files.
Final Remarks
The ramifications of CVE-2025-55182 are profound, particularly for organizations that may be unaware of their vulnerabilities arising from unpatched React and Next.js versions. As the exploitation landscape continues to evolve, it becomes imperative for professionals in cybersecurity and IT to stay vigilant, informed, and proactive in fortifying their defenses against this and similar threats. For further insights into mitigation and protective measures employed by Google, please refer to their blog post titled Responding to CVE-2025-55182: Secure your React and Next.js workloads.
