Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery

Google has observed five China-linked threat groups exploiting the recently disclosed React2Shell vulnerability in their attacks.

React2Shell, officially tracked as CVE-2025-55182, impacts systems that use version 19 of the React user interface library, specifically instances with React Server Components (RSC). In addition to React, CVE-2025-55182 could impact a lot of applications that use Next.js, Waku, React Router, or RedwoodSDK.

CVE-2025-55182 is a critical vulnerability that can be exploited for unauthenticated remote code execution via specially crafted HTTP requests.

React2Shell was disclosed on December 3, and exploitation started on the same day.

AWS reported that Chinese threat actors tracked as Earth Lamia and Jackpot Panda had started exploiting the React vulnerability shortly after its public disclosure.

The Google Threat Intelligence Group (GTIG) has also monitored the web for React2Shell attacks and over the weekend reported seeing at least five other different China-linked threat groups delivering malware through exploitation of the ...