Overview
- AWS reports Earth Lamia and Jackpot Panda began attempting exploitation within hours of disclosure, with honeypots recording interactive tests and commands such as whoami, id and writes to /tmp/pwned.txt.
- Public exploits have been posted on GitHub, and working PoCs were validated by Rapid7’s Stephen Fewer and Elastic’s Joe Desimone despite warnings about fake repositories.
- The bug stems from insecure deserialization in the React Server Components Flight protocol and enables unauthenticated remote code execution with a CVSS score of 10.0.
- React and Next.js released security updates, including React 19.0.1, 19.1.2 and 19.2.1, and the NVD rejected a separate Next.js CVE as a duplicate of CVE-2025-55182.
- Wiz estimates roughly 39% of observed cloud environments are susceptible, and AWS observed attackers pairing React2Shell probing with scans for other N‑day vulnerabilities.