China, Iran Are Having a Field Day With React2Shell, Google Warns

A critical React vulnerability (CVE-2025-55182) is being actively exploited at scale by Chinese, Iranian, North Korean, and criminal groups to gain remote code execution, deploy backdoors, and mine crypto. The Register reports: React maintainers disclosed the critical bug on December 3, and exploitation began almost immediately. According to Amazon's threat intel team, Chinese government crews, including Earth Lamia and Jackpot Panda, started battering the security hole within hours of its disclosure. Palo Alto Networks' Unit 42 responders have put the victim count at more than 50 organizations across multiple sectors, with attackers from North Korea also abusing the flaw.

Google, in a late Friday report, said at least five other suspected PRC spy groups also exploited React2Shell, along with criminals who deployed XMRig for illicit cryptocurrency mining, and "Iran-nexus actors," although the report doesn't provide any additional details about who the Iran-linked groups are and what they are doing after exploitation. "GTIG has also observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads in which threat actors have shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools," the researchers wrote.

what is React2Shell?

[evanh]

I just did a search, on both DuckDuckGO and Google, to find what it is and got pages of results only on this bloody exploit!

Re:

[John Cavendish]

I just did a search, on both DuckDuckGO and Google, to find what it is and got pages of results only on this bloody exploit!

From what I checked this name specifically refers to the discovered set of vulnerabilities in the React proprietary client-server protocol, which (the bugs) allow for shell execution on a server.

Re:

[Chris Mattern]

That's because React2Shell *is* the exploit. That's what it's called. It's exploiting something called "React", which as near as I can tell is some sort of web server thing.

Re:

[BoogieChile]

So wait...You searched for information about React2Shell and got pages of results about React2Shell, and yet, somehow, you still don't know what React2Shell is?

Re:

[iggymanz]

Wrong, one gets pages about the CVE, not about what React2Shell is.

Re:

[iggymanz]

so this crap has a vulnerability . Whoop de do, never heard of it.

all four users in the world are in tears

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re: what is React2Shell?

[reanjr]

That's what it is. Your Google-fu is showing weakness.

Re:

[gweihir]

Just a demo that shows React is crap. Like most "web frameworks" really. Almost all are gross KISS violations and that cannot go well.

Isn't a field day in China just...

[h33t l4x0r]

A day?

it's the complexity, stupid

[kisrael]

Speaking as an old graybeard UI guy.... we have just come up with more and more complex solutions to the same old internet "one weird trick" of putting your information on someone else's computer.

Yeah, I remember "Server Side Rendering"... we called Java Servlets or JSPs or PHP or ASP. There were clear divisions of labors and boundaries were respected.

Even when we had to go to make everything feel like an app, at least RESTful stuff still had those boundaries.

Now that everyone needs the same code running front and back, and JS (I'm not a hater of JS by any means but still) stuff like this is bound to have happened.

Re:

[molarmass192]

I don't have anything against JS, it's fine for manipulating webpages client side because it's the only standard option (fine, WASM, but realistically). Where I draw (drew?) the line is "let's run it on the server too!". That was a terrible idea. Then someone decided, hey, don't code that, use an npm that you have never read or validated. That was the terrible idea amongst terrible ideas. Now they've reached the apex of idea terribleness by letting LLMs write code that is never read, using npms that are nev

Re:

[h33t l4x0r]

It really has nothing to do with npm packages or vibe coding. The problem is the complexity that server components bring along, like GP says. And there's a simple fix... don't use them. Use api routes instead, that will save you from vulnerabilities like this one, and yes you can keep running javascript in the server too.

Re:

[procrastinatos]

I'm eagerly awaiting to see how they top this, might I suggest running the whole thing on Node using root?

How about bundling Node and a snazzy GUI into an Electron [electronjs.org] app, and let end users run that as root? /s

Re:

[i kan reed]

might I suggest running the whole thing on Node using root

Oh, you missed the whole kubernetes part of this equation. Almost all docker container services are designed to run as root on the insane notion that containerization on its own is sufficiently isolated.

Re:

[labnet]

I'm still writing new software in .Net8 Winforms.
Now get off my lawn!

Re:

[Mr. Dollar Ton]

You must be new on this Internet if "server side rendering" to you is ASP and its clones and not SSI.

Ah, the good old days... Does anyone still remember the intern who used setuid on a shell script to generate the SSI output?

I think he is the father of the "react2shell" facebook dev...

Re: it's the complexity, stupid

[reanjr]

This isn't server side rendering, this is server side execution of code defined on the client. Like the basis of 95% of web vulnerabilities. Sure, they've passed it through a few architectural layers to obfuscate the issue, but it boils down to trash design, trash architecture, and trash coders.

And if you're still vulnerable, your team is also trash.

Re:

[gweihir]

I fully agree. Violate KISS and things will never get to a secure or reliable state. The "web framework" crowd does not seem to know that basic fact.