China-Linked Hackers Exploit React RCE Flaw Hours After Disclosure

Security researchers disclosed a maximum-severity remote code execution vulnerability in React Server Components on December 3, 2025, allowing unauthenticated attackers to execute arbitrary commands on affected servers through crafted HTTP requests. China-nexus threat groups, including Earth Lamia and Jackpot Panda, began exploiting the flaw within hours, targeting public-facing endpoints in Next.js applications. The vulnerability, tracked as CVE-2025-55182 with a CVSS score of 10.0, stems from unsafe deserialization in the React Flight protocol, affecting versions 19.0.0 through 19.2.0.

The flaw enables attackers to inject payloads via parameters like $ACTION_REF_0 and $ACTION_0:0, exploiting prototype pollution in Promise handling to invoke Function constructors with hidden code in FormData blobs. Discovered by Lachlan Davidson and coordinated with Meta, the issue impacts frameworks implementing Server Components, including Next.js, Vite-RSC, and react-server-dom-webpack. Wiz analysis reveals 39% of scanned cloud environments run vulnerable React or Next.js instances, with Next.js present in 69% of those. Patches released December 3 require upgrading to React 19.2.1 or higher, alongside bundler updates for full mitigation.

Amazon Web Services threat intelligence observed automated scans using user-agent randomization to evade detection, with exploitation peaking at over 1,000 attempts per hour on December 4. Attackers chained the flaw with N-day vulnerabilities like CVE-2025-1338, expanding lateral movement in compromised networks. GreyNoise reported nearly 50% of offending IPs as newly observed in December 2025, indicating opportunistic scanning by botnets including Mirai variants. No widespread breaches surfaced by December 7, but enterprises using server-side rendering face elevated risks from supply chain compromises.

Mitigations include validating inputs against whitelists and deploying web application firewalls with rules blocking deserialization payloads. AWS updated its WAF managed ruleset to version 1.24, automatically filtering CVE-2025-55182 attempts. Rapid7 and Datadog released indicators of compromise, such as suspicious HTTP headers mimicking React Flight streams. Developers must audit dependencies via software bill of materials tools, as transitive vulnerabilities in react-server-dom-parcel persist in unpatched ecosystems.

The incident underscores tensions in serverless architectures, where dynamic code execution trades performance for security. React’s adoption in 80% of Fortune 500 web apps amplifies exposure, per Stack Overflow surveys. U.S. firms, handling 40% of global e-commerce traffic, report average breach costs of $4.45 million under NIST frameworks. CISA added the CVE to its Known Exploited Vulnerabilities catalog on December 6, mandating federal remediation within 21 days.

Broader ecosystem responses involve enhanced fuzzing for deserialization paths and runtime monitoring of server functions. Startups like SafeDep offer SBOM-based scanners detecting vulnerable React integrations, processing 10,000 components per scan. Tenable Cloud Security plugins now flag exposures in Docker images and cloud workloads. As exploitation evolves, organizations should enforce least-privilege endpoints and segment serverless functions to limit blast radii.

This breach highlights geopolitical cyber dynamics, with state actors probing U.S.-hosted apps for intelligence gains. Mandiant forecasts a 30% rise in framework-specific exploits by 2026, driven by open-source velocity. For developers, immediate patching and code reviews remain critical, transforming a routine update into a defensive bulwark against persistent threats.