Critical RCE Vulnerabilities in React and Next.js: Active Exploitation by Chinese Threat Actors

The cybersecurity landscape is currently facing a significant threat with the discovery of two critical Remote Code Execution (RCE) vulnerabilities, CVE-2025-55182 and CVE-2025-66478, affecting React Server Components (RSC) and Next.js respectively. These vulnerabilities, with a CVSS score of 10, represent a severe risk to systems using these technologies. The vulnerabilities are being actively exploited by threat actors linked to China, specifically Earth Lamia and Jackpot Panda. Exploitation began on December 4, 2024, shortly after the vulnerabilities were disclosed. The rapid appearance of public Proofs of Concept (PoCs) has lowered the barrier to entry for attackers, leading to widespread exploitation. The affected versions include React 19.0.0 to 19.2.0 and Next.js 14.3.0-pre to 16.x. Given the popularity of these frameworks, the potential impact is substantial. Shodan scans have revealed hundreds of thousands of vulnerable systems exposed to the internet, making this a critical issue for organizations using these technologies. From a technical standpoint, these vulnerabilities highlight the risks associated with server-side rendering and the complexity of modern web frameworks. The exploitation of these vulnerabilities can lead to complete system compromise, data breaches, and further lateral movement within networks. Cybersecurity professionals are advised to immediately patch affected systems and implement additional security measures such as network segmentation and intrusion detection systems. Given the active exploitation and the availability of public PoCs, the window for mitigation is narrow. In conclusion, the discovery and rapid exploitation of these vulnerabilities underscore the importance of timely patching and robust security practices. Organizations using React or Next.js should prioritize updating to the latest secure versions and monitor their systems for signs of compromise.