A critical vulnerability in React Server Components has been rapidly exploited by multiple China-nexus threat groups, including Earth Lamia and Jackpot Panda, just hours after its public disclosure on December 3, 2025. The React2Shell (CVE-2025-55182) vulnerability has a maximum Common Vulnerability Scoring System (CVSS) score of 10.0 and affects React versions 19.x and Next.js versions 15.x and 16.x when using App Router.
This vulnerability doesn’t affect AWS services, but we’re sharing this threat intelligence to help customers running React or Next.js applications in their own environments take immediate action. We’ve identified exploitation attempts by IP addresses associated with known China-nexus threat actors, including Earth Lamia and Jackpot Panda.
To mitigate the risk, customers using managed AWS services are not affected, and no action is required. However, customers running React or Next.js in their own environments must update vulnerable applications immediately.
AWS has deployed multiple layers of automated protection through Sonaris active defense, AWS WAF managed rules, and perimeter security controls. Customers can take immediate recommended actions to protect themselves:
1. Update vulnerable React/Next.js applications using the provided patches.
2. Deploy a custom AWS WAF rule for interim protection.
3. Review application and web server logs for suspicious activity.
Note: These protections are not substitutes for patching.
Source: https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182