Overview
- The CVE-2025-55182 insecure-deserialization bug enables unauthenticated RCE in React Server Components, with fixes released in React 19.0.1, 19.1.2, and 19.2.1 for react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, while a Next.js CVE was rejected as a duplicate and Wiz estimates about 39% of observed cloud environments remain exposed.
- AWS reported exploitation within hours by China-nexus groups Earth Lamia and Jackpot Panda via its MadPot honeypots, observing hands-on-keyboard testing that executed discovery commands, attempted to read /etc/passwd, and wrote marker files.
- Investigators now report confirmed compromises, with Palo Alto Networks Unit 42 tallying more than 30 affected organizations and noting attempts to steal AWS credentials and install downloaders, while Wiz and watchTowr observed webshell deployments and cryptojacking activity.
- Working proof-of-concept exploits are public and mixed with fakes, including code validated by Rapid7 and Elastic, researcher Lachlan Davidson’s published PoCs, and a GitHub exploit by maple3142, increasing risk for unpatched servers.
- Cloudflare said a brief global outage was triggered by an emergency Web Application Firewall parsing change to mitigate React2Shell, as providers roll out interim rules yet caution these do not replace updating and rebuilding vulnerable deployments.