Vulnerability Management, Patch/Configuration Management, Network Security, AI/ML, Exposure management

React2Shell bug exploited by China-linked groups, fix briefly disrupts Cloudflare

China map outline, flag colors red, yellow glowing. Futuristic circuit board digital technology backdrop. High-tech data streams, innovation, modern design, connectivity global network.

News about the fast-breaking React2Shell bug has security pros saying it could force the industry to rethink how to operate in the AI era, including redefining patching schedules and our notions about 24-7-365 uptime from service providers.  

Most cybersecurity pros are now well aware of this 10.0 flaw: AWS researchers reported on Dec. 4 that within hours of the public disclosure of React2Shell (CVE-2025-55182) on Dec. 3, the bug was actively exploited in the wild by multiple China-state threat groups, including Earth Lamia and Jackpot Panda.

Cloudflare determined that the React2Shell was so dangerous that it was willing to sustain a short 25-minute outage to fix the bug.

In a Dec. 5 blog post, Cloudflare said the outage was not a cyberattack on Cloudflare’s systems or malicious activity of any kind.

Instead, the internet services firm said it was "triggered by changes being made to the company’s body parsing logic while attempting to detect and mitigate" the React2Shell bug.

“The Cloudflare outage isn't just an operational incident, it's a case study in how mature organizations are now making real-time risk calculations with global consequences,” said Denis Calderone, chief operating officer at Suzu Labs. “The Chinese threat actor involvement isn't surprising, but the speed and sophistication of their response is a wake-up call.”

Related reading:


Calderone added that Cloudflare made the right call, and organizations watching from the sidelines should take note, pointing out that when a company that literally runs a significant portion of internet infrastructure decides the risk of active exploitation was worse than voluntarily taking services down, that's a signal to security pros.

“This wasn't a configuration mistake or a botched deployment, as we have seen before, but rather this was a calculated decision that the vulnerability was so dangerous they couldn't wait for a maintenance window,” explained Calderone. “Security teams still debating whether to patch over the weekend just got their answer."


The latest campaign by Chinese state actors exploiting React2Shell, emphasizes the increased speed advanced threat actors exploit critical vulnerabilities upon public disclosure, said Lauren Rucker, senior cyber threat intelligence analyst at Deepwatch. Threat actors are not relying solely on automated scans. Rucker pointed out that attacks on AWS honeypots observed a mix of public, including broken, exploits combined with iterative manual testing and real-time troubleshooting against live targets.

Observed behaviors included attempts to execute Linux commands (whoami, id), create files (/tmp/pwned.txt), and read system files (/etc/passwd/). This active debugging confirms rapid, targeted engagement with the flaw.

“The traditional 30-day patching timeline should no longer be considered a viable mitigation against malicious actors for key operational technologies,” said Rucker. “As experienced professionals in system administration and vulnerability management, we recognize the inherent risk in high-speed, emergency deployments. “

Suzu Labs’ Calderone added that what's notable in this case isn't just how quickly that China-linked Earth Lamia and Jackpot Panda jumped on the vulnerability, it's the operational discipline involved. AWS observed them debugging exploits in real-time against honeypots, refining their payloads on the fly.

“These aren't script kiddies running automated scans, these are well-resourced operators with processes built to weaponize new vulnerabilities within hours of disclosure,” said Calderone. “The window between ‘zero-day’ and 'everyone's a target' has essentially collapsed. Organizations need to internalize that threat actors are watching the same CVE feeds they are and moving faster than the defenders in many cases."

React2Shell background

There were actually two flaws originally reported here that run remote code execution (RCE): CVE-2025-55182 and CVE-2025-66478.

According to Wiz researchers, CVE-2025-55182 runs as a critical unauthenticated RCE vulnerability in the react-server package used by React Server Components (RSC).

CVE-2025-66478, which since has been rejected by NIST as a duplicate CVE, operates as the corresponding RCE vulnerability in Next.js, which inherits the same underlying flaw through its implementation of the RSC "Flight" protocol.

What’s now widely regarded as the React2Shell bug — CVE-2025-55182 — focuses around React — also known as React.js — one of the world's most popular open-source JavaScript frameworks. The organization’s React Server Components (RSC) represent its newest paradigm for building full-stack applications: RSC lets components run on the server, with a streaming protocol called "Flight" that serializes data between server and client.

Miggo researchers said in a Dec. 4 blog that security researcher Lachlan Davidson reported the vulnerability to Meta on Nov. 29.

React then released patched versions on Dec. 3 — but events happened so fast, many organizations were caught off-guard.

"While the React2Shell situation is still unfolding, it’s now clear that AI has changed the game," said Itai Goldman, co-founder and CTO at Miggo. “It's both making it faster for attackers to generate and test payloads and that's why we saw a working POC out in 24 hours from the disclosure. At the same time, AI is enabling the creation of thousands of fake payloads which creates noise for defenders trying to separate the real, evolving exploits from the 'AI slop.'"

Suzu Labs’ Calderone added that a max-severity bug in one of the most popular web frameworks on the planet (Cloudflare) was already bad enough. The “AI slop” angle adds a troubling dimension: Calderone said researchers are pointing to AI-generated code as a potential contributing factor to the vulnerability.

“Whether or not that's definitively proven, it highlights how AI coding assistants can introduce flaws that traditional code review might miss, especially in serialization and deserialization logic where security consequences aren't immediately obvious,” explained Calderone. “The irony is painful: tools designed to accelerate development may accelerate the creation of exploitable code. As AI-assisted development becomes standard practice, security teams need to adjust their threat models accordingly. The attack surface now includes whatever the AI confidently generated and nobody questioned.”

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds