React2Shell: Critical CVSS 10.0 RCE in React JavaScript Server Exploited by Chinese APTs
A critical remote code execution vulnerability in the React JavaScript server, dubbed React2Shell (CVE-2025-55182), is being actively exploited by Chinese APT groups within hours of disclosure.
A critical remote code execution vulnerability in the React JavaScript server, dubbed React2Shell (CVE-2025-55182), is being actively exploited by Chinese APT groups within hours of disclosure. The flaw, which carries a CVSS score of 10.0, allows unauthenticated attackers to execute arbitrary code on affected servers. The React JavaScript server is a component used in some Node.js environments, particularly in headless commerce frameworks like Shopify's Hydrogen.
According to reports, Chinese state-sponsored hacking groups began exploiting the vulnerability almost immediately after the proof-of-concept code was published. The Record from Recorded Future News noted that researchers have tracked dozens of organizations affected by React2Shell compromises tied to China's Ministry of State Security (MSS). The attacks are part of a broader campaign that also involves two other vulnerabilities, with all eyes on China.
The vulnerability was discovered by researcher lachlan2k, who published the original proof-of-concept on GitHub. The exploit allows attackers to send specially crafted requests to the React server, leading to remote code execution. Given the widespread use of React in web development, the potential impact is significant, though the server component is less common than the client-side library.
In response, the React team has released a patch for the vulnerability. Users are urged to update their React server packages immediately. The Cybersecurity and Infrastructure Security Agency (CISA) is expected to add the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, given the active exploitation.
The incident highlights the growing risk of vulnerabilities in JavaScript server-side technologies, which are increasingly targeted by threat actors. The rapid exploitation by Chinese APT groups underscores the need for organizations to prioritize patching and monitor for signs of compromise. The full details of the vulnerability and the associated attacks are covered in this week's Risky Business podcast.