Patch now! Attacks on React2Shell vulnerability are starting

As soon as public exploit code is circulating, the first reports of attacks on React servers are emerging. Security patches are available.

Background

The "critical" vulnerability (CVE-2025-55182 CVSS Score 10 out of 10) has only been known for a few days and exclusively affects React servers. Attacks are said to be possible remotely and without authentication. By sending prepared HTTP requests, attackers can push malicious code onto systems, thus completely compromising them.

The developers assure that they have closed the vulnerability in React versions 19.0.1, 19.1.2, and 19.2.1.

Ongoing Attacks

As a post by a security researcher on X shows, exploit code is now circulating. During the same period, Amazon AWS's IT security team is already reporting the first attacks. They state in a post that their AWS services are not affected by the vulnerability.

The AWS security researchers attribute the attacks to state-sponsored Chinese or China-friendly threat actors such as Earth Lamia and Jackpot Panda. These groups are primarily targeting government institutions and critical infrastructure in the energy sector worldwide.

The groups are said to proceed extremely professionally and swiftly. According to researchers, they use automated scanning and attack tools for this purpose, among others. They also constantly refine their attack techniques to increase the success rate of their attacks. The extent to which the attacks are taking place and whether they are territorially limited is currently unknown.

Admins should act immediately and protect their React servers with security patches. In their post, the security researchers list parameters (Indicators of Compromise, IoC) that admins can use to identify already attacked systems.

(des)