React2Shell Apocalypse: CVSS 10.0 Flaw Exploited by China, North Korea, and Botnets
React2Shell: Critical RCE Vulnerability (CVE-2025-55182) Under Mass Exploitation by State Actors and Criminals
Related Entities(initial)
Threat Actors
Organizations
Products & Tech
Other
CVE Identifiers
Full Report(when first published)
Executive Summary
A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2025-55182 and dubbed "React2Shell," is being actively and widely exploited in the wild. The vulnerability, which carries a maximum CVSS 10.0 score, affects the core of React Server Components (RSC) and impacts popular frameworks like Next.js. A diverse set of threat actors, including Chinese state-sponsored groups Earth Lamia and Jackpot Panda, North Korean APTs, and criminal botnets, are leveraging the flaw to deploy backdoors, ransomware enablement tools like Cobalt Strike, and infostealers. With hundreds of thousands of internet-facing systems vulnerable and exploitation trivial to execute, this represents one of the most significant security threats of the year. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog with an accelerated patching deadline, underscoring the immediate risk to organizations globally.
Vulnerability Details
CVE-2025-55182, or React2Shell, is a deserialization vulnerability in the 'Flight' protocol used by React Server Components. The flaw originates in the way the core library parses server-bound requests, allowing an unauthenticated attacker to send a specially crafted HTTP request that triggers arbitrary code execution on the server with the privileges of the web application. No user interaction or prior access is required.
- Vulnerability Type: Insecure Deserialization (CWE-502)
- Attack Vector: Network
- Complexity: Low
- Privileges Required: None
- User Interaction: None
Affected Systems
The vulnerability impacts any public-facing application utilizing affected versions of frameworks that implement React Server Components. Key affected products include:
- React Server Components (versions 19.0.0, 19.1.0, 19.1.1, 19.2.0)
- Next.js
- React Router
- Waku
- Parcel RSC plugin
- Vite RSC plugin
- RedwoodJS
Security firm Shadowserver has identified over 165,000 unique IPs and 644,000 domains running vulnerable code, with a significant concentration in the United States.
Technical Analysis
Threat actors are exploiting CVE-2025-55182 for initial access and to establish a persistent foothold. The attack chain is direct and effective:
- Scanning: Attackers use automated tools to scan the internet for vulnerable servers running affected versions of Next.js or other RSC-based frameworks.
- Exploitation: A specially crafted HTTP POST request is sent to a vulnerable endpoint. The request body contains a serialized payload that, when processed by the server, executes an embedded command. This is a classic example of
T1190 - Exploit Public-Facing Application. - Payload Delivery: The initial executed command typically involves a downloader, such as
curlorwget, to fetch a second-stage payload from an attacker-controlled server (T1105 - Ingress Tool Transfer). - Execution & Persistence: The second-stage payload is executed, deploying various malware. Observed payloads include:
- Backdoors: The North Korean campaign "Contagious Interview" has been observed deploying a new RAT named EtherRAT.
- C2 Frameworks: Cobalt Strike beacons and the Sliver framework are being dropped for hands-on-keyboard access and lateral movement (
T1219 - Remote Access Software). - Infostealers: Malware such as BeaverTail and OtterCookie have been deployed to steal credentials and other sensitive data.
- Botnet Malware: Automated attacks are installing Mirai-style malware to enlist compromised servers into DDoS botnets (
T1583.003 - Acquire Infrastructure: Botnet).
MITRE ATT&CK Mapping
| Tactic | Technique ID | Name | Description |
|---|---|---|---|
| Initial Access | T1190 |
Exploit Public-Facing Application | Attackers are exploiting the React2Shell vulnerability on internet-facing web servers. |
| Execution | T1059.007 |
Command and Scripting Interpreter: JavaScript | The vulnerability is triggered via server-side JavaScript execution through the deserialization flaw. |
| Command and Control | T1071.001 |
Application Layer Protocol: Web Protocols | Malware like Cobalt Strike and EtherRAT use HTTP/S for C2 communications. |
| Defense Evasion | T1574.002 |
Hijack Execution Flow: DLL Side-Loading | While not explicitly mentioned for React2Shell, this is a common follow-on TTP used by Cobalt Strike. |
| Impact | T1498 |
Network Denial of Service | Mirai-style botnets are being installed for future DDoS attacks. |
Impact Assessment
The business impact of a successful React2Shell exploit is critical. Attackers gain full control over the compromised web server, leading to:
- Complete Data Compromise: Theft of application data, customer information, intellectual property, and credentials stored on the server.
- Ransomware Deployment: The initial access can be sold to or used by ransomware groups to encrypt the server and move laterally across the network.
- Infrastructure Hijacking: Compromised servers are being absorbed into botnets for DDoS attacks, causing reputational damage and potential legal liability.
- Watering Hole Attacks: Attackers can modify the web application to serve malware to its visitors, compromising end-users and customers.
Given that an estimated 50% of vulnerable instances remain unpatched, the window of opportunity for attackers is massive. The involvement of sophisticated state-sponsored actors indicates targeted attacks against high-value organizations, while the automated botnet activity places all vulnerable servers at immediate risk.
Cyber Observables for Detection
Security teams should proactively hunt for signs of compromise. These are not confirmed IOCs but high-confidence observables for detection:
| Type | Value | Description | Context | Confidence |
|---|---|---|---|---|
| url_pattern | __RSC__ |
The presence of __RSC__ in URL paths or query parameters is indicative of React Server Components usage. |
Web server logs, WAF logs, proxy logs. | high |
| url_pattern | /_next/flight |
Default endpoint for Next.js Flight protocol requests. Monitor for anomalous POST requests. | Web server logs, WAF logs. | high |
| process_name | node |
Monitor node processes for suspicious child processes like sh, bash, curl, wget. |
EDR, Sysmon (Event ID 1). | high |
| command_line_pattern | curl -o /tmp/ |
Look for curl or wget commands downloading files to temporary directories from web server processes. |
EDR, Auditd, Sysmon (Event ID 1). | high |
| network_traffic_pattern | Outbound connections from web server to unknown IPs |
Web servers should generally not initiate outbound connections to arbitrary internet IPs. | Firewall logs, NetFlow, Zeek. | medium |
Detection & Response
- Web Application Firewall (WAF): Deploy WAF rules to inspect incoming HTTP requests for patterns associated with React2Shell exploits. Many vendors have already released emergency signatures.
- Log Analysis (D3-NTA: Network Traffic Analysis): Scrutinize web server access logs for unusual POST requests, especially to endpoints related to RSC (e.g.,
/_next/flight). Look for requests with large, complex bodies or those originating from known malicious IPs or Tor exit nodes. - Endpoint Detection and Response (EDR): Monitor web server processes (e.g.,
node) for anomalous behavior, such as spawning shell commands (/bin/sh), network utilities (curl,wget), or writing executable files to disk. - Threat Hunting: Proactively hunt for the cyber observables listed above. Use the presence of vulnerable frameworks as a starting point for deeper investigation.
If a compromise is suspected, immediately isolate the affected server from the network to prevent lateral movement. Preserve logs, memory dumps, and disk images for forensic analysis before restoring from a known-good backup.
Mitigation
- Patch Immediately (D3-SU: Software Update): This is the most critical action. Upgrade all applications using React or frameworks like Next.js to the latest patched versions. Do not delay.
- Apply Virtual Patching: If immediate patching is not feasible, use a WAF with up-to-date signatures to block exploit attempts as a temporary compensating control.
- Network Segmentation (D3-NI: Network Isolation): Restrict outbound internet access from web servers. They should only be allowed to communicate with specific, approved external services. This can prevent malware from downloading second-stage payloads or communicating with C2 servers.
- Reduce Attack Surface: If possible, place vulnerable applications behind a VPN or enforce client certificate authentication to restrict access, reducing exposure to automated scanning.
- Regular Vulnerability Scanning: Continuously scan external and internal assets to identify vulnerable instances of React-based applications before attackers do.
Timeline of Events
Article Updates
December 21, 2025
New exploitation campaigns for React2Shell (CVE-2025-55182) observed, deploying XMRig crypto miners and COMPOOD backdoor, targeting SaaS/eCommerce in Australia.
Update Sources:
MITRE ATT&CK Mitigations
Update Software
The primary mitigation is to update all affected React-based applications to a patched version that resolves the deserialization flaw.
Mapped D3FEND Techniques:
Network Intrusion Prevention
Use a Web Application Firewall (WAF) or IPS with signatures to detect and block exploit attempts against CVE-2025-55182.
Run web applications in containerized or sandboxed environments to limit the impact of a successful RCE exploit and prevent access to the underlying host.
Mapped D3FEND Techniques:
Restrict outbound network access from web servers to prevent them from connecting to attacker C2 servers or downloading additional malware.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
The most effective and urgent defense against React2Shell is to apply the security patches provided by the framework maintainers. Organizations must immediately identify all applications using vulnerable versions of React Server Components, Next.js, and other affected libraries. Prioritize public-facing applications, as they are the direct target of these unauthenticated attacks. Use package manager commands (e.g., npm outdated, yarn outdated) or a Software Bill of Materials (SBOM) tool to discover vulnerable dependencies across all codebases. The update process should be managed through a standardized patch management workflow: test the update in a staging environment to ensure no breaking changes, then deploy to production as quickly as possible. Given the active, widespread exploitation, this should be treated as an emergency change, bypassing normal change windows if necessary. Verifying the patch can be done by checking the installed package version post-deployment.
As a critical compensating control, especially if patching is delayed, organizations must implement inbound traffic filtering via a Web Application Firewall (WAF). Most major WAF providers (Cloudflare, Akamai, AWS WAF, etc.) have released virtual patch signatures that can detect and block the specific HTTP request patterns used to exploit CVE-2025-55182. Ensure your WAF is in blocking mode, not just logging mode, for these rules. The rules should be applied to all internet-facing web properties, particularly those built with Next.js or other React frameworks. The filter should inspect the body of POST requests to endpoints like /_next/flight for malicious serialized object patterns. This acts as a shield, preventing the malicious request from ever reaching the vulnerable application code. While highly effective, this should be seen as a temporary measure until the underlying vulnerability can be patched.
To detect a successful compromise, security teams must perform continuous process analysis on web servers. An EDR solution is ideal for this. Configure detection rules to alert when the web server process (e.g., node.exe on Windows, node on Linux) spawns unexpected child processes. In the context of React2Shell, this would include shells (sh, bash, cmd.exe, powershell.exe) and network utilities (curl, wget). Establishing a baseline of normal process behavior is key. A Node.js application server should not be spawning these types of processes during normal operation. An alert on this behavior is a high-fidelity indicator of post-exploitation activity. This D3FEND technique is crucial for detecting the attack after the initial exploit, providing a critical opportunity to initiate incident response before the attacker can achieve their objectives, such as deploying ransomware or exfiltrating data.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats