Widespread Exploitation Follows Public Disclosure

A China-based, state-sponsored hacking group has begun actively exploiting a critical remote code execution (RCE) vulnerability in a popular server-side rendering (SSR) component for React. The vulnerability, tracked as CVE-2025-55182 dubbed “React2Shell,” affects all versions of the ‘next-react-ssr’ library prior to 18.2.5. The active campaigns were first identified by threat intelligence analysts just 48 hours after a proof-of-concept (PoC) exploit was made public on GitHub.

The threat actor, identified by security researchers as “Jade Typhoon,” is leveraging the React2Shell flaw to achieve initial access to vulnerable web servers. Successful exploitation allows the attackers to execute arbitrary code with the same privileges as the web server process. Observations from compromised systems indicate the attackers are deploying web shells to establish persistent access and are conducting internal network reconnaissance. The primary targets of this campaign include organizations in the technology, defense, and telecommunications sectors across North America and Europe.

Technical Details and Mitigation

The React2Shell vulnerability CVE-2025-55182carries a CVSS score of 9.8, reflecting its critical severity and the ease of exploitation. The flaw originates from improper input sanitization within the library’s server-side rendering function, which can be triggered by a specially crafted HTTP request. This allows an unauthenticated remote attacker to gain full control over the affected server.

Security firms have confirmed that Jade Typhoon’s TTPs (Tactics, Techniques, and Procedures) in this campaign are consistent with their previously documented cyber-espionage operations. The immediate goal of the intrusions appears to be data exfiltration of intellectual property and sensitive corporate documents. System administrators are strongly urged to update their ‘next-react-ssr’ library to version 18.2.5 or later, which contains the patch for this vulnerability. Organizations should also scan their networks for indicators of compromise (IoCs) associated with this activity, which have been released by the Cybersecurity and Infrastructure Security Agency (CISA).

Source: https://thehackernews.com/2025/12/chinese-hackers-have-started-exploiting.html