Chinese Hackers & the React2Shell Crisis This week, we dive deep into the critical, maximum-severity security flaw known as React2Shell (tracked as CVE-2025-55182). This vulnerability, which impacts React, the widely-used open-source JavaScript library, allows for unauthenticated remote code execution (RCE) through specially crafted HTTP requests on affected servers. The episode explores the immediate aftermath of the disclosure. Exploitation attempts began quickly, with Amazon Web Services (AWS) reporting that multiple China-linked threat groups, specifically Earth Lamia and Jackpot Panda, were exploiting the flaw within hours of its public availability. These actors are using both automated tools and individual exploits, and some are even actively debugging and refining their techniques against live targets. Earth Lamia has been active since at least 2023, targeting various industries in Latin America, the Middle East, and Southeast Asia, while Jackpot Panda focuses on cyberespionage operations in Asia. We also discuss the significant collateral damage caused by the urgent need to patch this flaw. Internet infrastructure giant Cloudflare experienced a widespread global outage, returning "500 Internal Server Error" messages worldwide, and attributed the incident to an emergency patch deployed to mitigate the industry-wide React2Shell vulnerability. This change was related to how Cloudflare’s Web Application Firewall parsed requests. Finally, we clarify the scope of the vulnerability: React2Shell primarily impacts server-side components. Specifically, it affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, particularly instances using a relatively new server feature. Standard React Native mobile apps are generally safe, but any backend built using Next.js (App Router) or React 19 Server Components that communicates with the mobile app is at critical risk. Furthermore, developers need to be aware of a separate, but timely, vulnerability (CVE-2025-11953) affecting the local React Native CLI development server. Key Concepts and Takeaways - Vulnerability: React2Shell, CVE-2025-55182, is a critical vulnerability allowing unauthenticated remote code execution on affected servers. - Scope: Impacts the React open-source JavaScript library, particularly React version 19 and dependent React frameworks such as Next.js (App Router). Cloud security giant Wiz reported that 39% of cloud environments contain vulnerable React instances. - Threat Actors: Exploitation is linked to China-linked threat groups, including Earth Lamia and Jackpot Panda. - Major Impact: An emergency mitigation patch designed to address React2Shell caused a widespread global outage at Cloudflare. - Fix: Patches were available shortly after disclosure, reported to Meta on November 29 and patched on December 3. Users must upgrade affected dependencies like react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to version 19.0.1 or higher. Resources and Links - SecurityWeek (Source Context): (Note: Specific articles discussed are embedded within the episode content.) - Expo Changelog: For specific SDK patch instructions. - Sponsor Link: Protecting mobile app integrity against security threats is vital: https://approov.io/podcast Keywords (Optimized for SEO) React2Shell, , Remote Code Execution (RCE), China-linked hackers, Earth Lamia, Jackpot Panda, React Server Components (RSC), Next.js vulnerability, React 19 security, web security, patch management, cyber espionage, critical vulnerability, application security