React2Shell RCE Bug in React & Next.js Exploited by Hackers Hours After Patch Drop
China-linked threat actors pounced on a critical React Server Components vulnerability dubbed React2Shell within hours of its disclosure, deploying crypto miners and backdoors across cloud environments. This max-severity flaw, tracked as CVE-2025-55182, lets attackers execute code remotely without authentication on React 19.x and Next.js 15.x/16.x using the App Router.
The Nitty-Gritty Details
Disclosed on December 3, React2Shell hits default configurations hard—no explicit server functions needed for exploitation. Groups like Earth Lamia and Jackpot Panda jumped in fast, targeting cloud metadata and environment variables for creds. CISA slapped it into their Known Exploited Vulnerabilities catalog by December 5, and reports show North Korean actors in the mix too. Shockingly, 39% of scanned cloud setups are still vulnerable. Oh, and this isn’t ancient history—it’s from early December 2025, making it the freshest, most buzzed cyber bombshell in the last day.
Why Devs Should Sweat This
If you’re building with React or Next.js App Router, this is your wake-up call: default setups are sitting ducks for RCE. One bad deploy, and attackers own your cloud infra, stealing keys or mining crypto on your dime. Patch now or risk joining the exploited club—especially since state actors are already weaponizing it against real targets.
Final Take
React2Shell proves zero-days don’t sleep; they spread. Devs, audit your stacks, enable strict configs, and watch those cloud scans—cyber threats evolve faster than your last pull request.
