If you use React or Next.js, I have posted some great news for you today. Google has found 5 more Chinese hacking groups using a vulnerability in React2Shell (CVE-2025-55182) to target websites. With React2Shell, hackers are able to run code on your server with just one web request. Isn't that frightening?
If they do not begin to update their software applications, they are at risk of being hacked before they discover the breach.
How React2Shell Works
All versions of React are impacted (19.0 to 19.2.0). Hackers can utilize this bug to compromise user data such as credentials (AWS logins, configuration files, etc.) or other sensitive data through the use of these tools: react-server-dom-parcel and react-server-dom-webpack. If these components are incorporated within your project/app, then you could be compromised.The Hacking Groups
Google says five more Chinese groups are exploiting this flaw:- UNC6600 – uses MINOCAT tunneling
- UNC6586 – uses SNOWLIGHT downloader
- UNC6588 – spreads COMPOOD backdoor
- UNC6603 – updated HISONIC backdoor
- UNC6595 – ANGRYREBEL.LINUX RAT
Recommendations For Action
- Make sure that all React and Next.js applications are updated immediately.
- Review all AWS credentials and server configuration settings.
- Be vigilant for suspicious activity on your company's networks.
Overall
The issue of React2Shell is a classic example of how a single coding error can open up countless potentially harmful consequences. With more and more Chinese hacking groups involved in this type of activity, it will be increasingly important for people to remain vigilant against potential threats.If they do not begin to update their software applications, they are at risk of being hacked before they discover the breach.