The Record reports:
State-backed hackers in China are exploiting a vulnerability impacting a popular open-source tool built into thousands of widely-used digital products, according to new reports.
The tool, React Server Components, was maintained by Meta for many years and now is embedded in 50 million websites and products built by countless major firms.
The bug, tagged as CVE-2025-55182 and referred to colloquially as React2Shell, was reported to Meta by researcher Lachlan Davidson on November 29 and publicly disclosed on Wednesday, when a fix was rolled out. The vulnerability carries a “critical” severity score of 10 out of 10.
On Thursday evening, Amazon Integrated Security CISO CJ Moses said his team observed that the bug was being exploited by “multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.” The bug was also added to the Cybersecurity and Infrastructure Security Agency’s catalog of exploited vulnerabilities on Friday.
Read more at The Record.
