China, Iran Are Having a Field Day With React2Shell, Google Warns (theregister.com) 30
A critical React vulnerability (CVE-2025-55182) is being actively exploited at scale by Chinese, Iranian, North Korean, and criminal groups to gain remote code execution, deploy backdoors, and mine crypto. The Register reports: React maintainers disclosed the critical bug on December 3, and exploitation began almost immediately. According to Amazon's threat intel team, Chinese government crews, including Earth Lamia and Jackpot Panda, started battering the security hole within hours of its disclosure. Palo Alto Networks' Unit 42 responders have put the victim count at more than 50 organizations across multiple sectors, with attackers from North Korea also abusing the flaw.
Google, in a late Friday report, said at least five other suspected PRC spy groups also exploited React2Shell, along with criminals who deployed XMRig for illicit cryptocurrency mining, and "Iran-nexus actors," although the report doesn't provide any additional details about who the Iran-linked groups are and what they are doing after exploitation. "GTIG has also observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads in which threat actors have shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools," the researchers wrote.
Google, in a late Friday report, said at least five other suspected PRC spy groups also exploited React2Shell, along with criminals who deployed XMRig for illicit cryptocurrency mining, and "Iran-nexus actors," although the report doesn't provide any additional details about who the Iran-linked groups are and what they are doing after exploitation. "GTIG has also observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads in which threat actors have shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools," the researchers wrote.
what is React2Shell? (Score:4, Insightful)
I just did a search, on both DuckDuckGO and Google, to find what it is and got pages of results only on this bloody exploit!
Re:what is React2Shell? (Score:4, Informative)
I just did a search, on both DuckDuckGO and Google, to find what it is and got pages of results only on this bloody exploit!
From what I checked this name specifically refers to the discovered set of vulnerabilities in the React proprietary client-server protocol, which (the bugs) allow for shell execution on a server.
Re:what is React2Shell? (Score:4, Informative)
That's because React2Shell *is* the exploit. That's what it's called. It's exploiting something called "React", which as near as I can tell is some sort of web server thing.
Re: (Score:2, Funny)
So wait...You searched for information about React2Shell and got pages of results about React2Shell, and yet, somehow, you still don't know what React2Shell is?
Re: (Score:1)
Re: (Score:1)
Re: what is React2Shell? (Score:1)
That's what it is. Your Google-fu is showing weakness.
Re: (Score:2)
Not even https://react2shell.com/ [react2shell.com] ?
Re: (Score:1)
Re: (Score:2)
Just a demo that shows React is crap. Like most "web frameworks" really. Almost all are gross KISS violations and that cannot go well.
Isn't a field day in China just... (Score:4, Funny)
it's the complexity, stupid (Score:5, Insightful)
Speaking as an old graybeard UI guy.... we have just come up with more and more complex solutions to the same old internet "one weird trick" of putting your information on someone else's computer.
Yeah, I remember "Server Side Rendering"... we called Java Servlets or JSPs or PHP or ASP. There were clear divisions of labors and boundaries were respected.
Even when we had to go to make everything feel like an app, at least RESTful stuff still had those boundaries.
Now that everyone needs the same code running front and back, and JS (I'm not a hater of JS by any means but still) stuff like this is bound to have happened.
Re:it's the complexity, stupid (Score:5, Interesting)
I don't have anything against JS, it's fine for manipulating webpages client side because it's the only standard option (fine, WASM, but realistically). Where I draw (drew?) the line is "let's run it on the server too!". That was a terrible idea. Then someone decided, hey, don't code that, use an npm that you have never read or validated. That was the terrible idea amongst terrible ideas. Now they've reached the apex of idea terribleness by letting LLMs write code that is never read, using npms that are never validated, on a server without a sandbox. I'm eagerly awaiting to see how they top this, might I suggest running the whole thing on Node using root?
Re: (Score:2, Informative)
Re: (Score:1)
> and yes you can keep running javascript in the server too.
You can, so long as you're very sure you've got all your API endpoints sufficiently protected. Honestly, it's just not worth the risk - you're better off running pretty much anything except Javascript to run your server-side API endpoints. NPM is something of the wild west, probably one of the most malware affected package managers there is, and the natural churn on there is so high that it's a full time job trying to keep up with updates - even
Re: (Score:2)
How about bundling Node and a snazzy GUI into an Electron [electronjs.org] app, and let end users run that as root? /s
Re: (Score:2)
Oh, you missed the whole kubernetes part of this equation. Almost all docker container services are designed to run as root on the insane notion that containerization on its own is sufficiently isolated.
Re: (Score:3)
But yes a lot of people are idiots and do not drop privileges on the end of their image build
Re: (Score:2)
Man I feel old, I remember the days when one wouldn't be caught dead having not anything at all against JS!
I imagine archaeologists of the future scratching their heads saying something like:
"What were those primitives thinking, not yet having anything for JS, the Double Helix Code of Zombotron The Magnificent! Savages! All Hail NPM!"
Re: (Score:2)
I'm still writing new software in .Net8 Winforms.
Now get off my lawn!
Re: (Score:2)
You must be new on this Internet if "server side rendering" to you is ASP and its clones and not SSI.
Ah, the good old days... Does anyone still remember the intern who used setuid on a shell script to generate the SSI output?
I think he is the father of the "react2shell" facebook dev...
Re: it's the complexity, stupid (Score:2)
This isn't server side rendering, this is server side execution of code defined on the client. Like the basis of 95% of web vulnerabilities. Sure, they've passed it through a few architectural layers to obfuscate the issue, but it boils down to trash design, trash architecture, and trash coders.
And if you're still vulnerable, your team is also trash.
Re: (Score:2)
I fully agree. Violate KISS and things will never get to a secure or reliable state. The "web framework" crowd does not seem to know that basic fact.
Re: (Score:1)
Hmmm... There's some merit to that argument, and I won't spend a single breath defending React.
On the other hand, if you're tasked with writing a browser client application of significant size and complexity, your choices are to use an off-the-shelf web framework, or write your own. If you decide to write your own, you're far from guaranteed to do a better job than the React, Angular, Vue, Svelte, or what-have-you people. You are guaranteed to spend a helluva lot more time though.
There are many problematic
Re: (Score:3)
Re: (Score:2)
but the biggest problem lies in the fact that they're being used in production by people who just took a 4 week full-stack developer bootcamp and have little understanding of the underlying protocols, security concerns, application layers and boundaries, or indeed software architecture in general.
Indeed. And that is the core problem when an engineering discipline cannot perform or cannot perform well: incompetence.
and USA, lets not forget USA (Score:2)