React2Shell: Critical RCE Vulnerability (CVE-2025-55182) Under Mass Exploitation by State Actors and Criminals

Executive Summary

A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2025-55182 and dubbed "React2Shell," is being actively and widely exploited in the wild. The vulnerability, which carries a maximum CVSS 10.0 score, affects the core of React Server Components (RSC) and impacts popular frameworks like Next.js. A diverse set of threat actors, including Chinese state-sponsored groups Earth Lamia and Jackpot Panda, North Korean APTs, and criminal botnets, are leveraging the flaw to deploy backdoors, ransomware enablement tools like Cobalt Strike, and infostealers. With hundreds of thousands of internet-facing systems vulnerable and exploitation trivial to execute, this represents one of the most significant security threats of the year. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog with an accelerated patching deadline, underscoring the immediate risk to organizations globally.

Vulnerability Details

CVE-2025-55182, or React2Shell, is a deserialization vulnerability in the 'Flight' protocol used by React Server Components. The flaw originates in the way the core library parses server-bound requests, allowing an unauthenticated attacker to send a specially crafted HTTP request that triggers arbitrary code execution on the server with the privileges of the web application. No user interaction or prior access is required.

• Vulnerability Type: Insecure Deserialization (CWE-502)
• Attack Vector: Network
• Complexity: Low
• Privileges Required: None
• User Interaction: None

Affected Systems

The vulnerability impacts any public-facing application utilizing affected versions of frameworks that implement React Server Components. Key affected products include:

• React Server Components (versions 19.0.0, 19.1.0, 19.1.1, 19.2.0)
• Next.js
• React Router
• Waku
• Parcel RSC plugin
• Vite RSC plugin
• RedwoodJS

Security firm Shadowserver has identified over 165,000 unique IPs and 644,000 domains running vulnerable code, with a significant concentration in the United States.

Technical Analysis

Threat actors are exploiting CVE-2025-55182 for initial access and to establish a persistent foothold. The attack chain is direct and effective:

1. Scanning: Attackers use automated tools to scan the internet for vulnerable servers running affected versions of Next.js or other RSC-based frameworks.
2. Exploitation: A specially crafted HTTP POST request is sent to a vulnerable endpoint. The request body contains a serialized payload that, when processed by the server, executes an embedded command. This is a classic example of T1190 - Exploit Public-Facing Application.
3. Payload Delivery: The initial executed command typically involves a downloader, such as curl or wget, to fetch a second-stage payload from an attacker-controlled server (T1105 - Ingress Tool Transfer).
4. Execution & Persistence: The second-stage payload is executed, deploying various malware. Observed payloads include:
   • Backdoors: The North Korean campaign "Contagious Interview" has been observed deploying a new RAT named EtherRAT.
   • C2 Frameworks: Cobalt Strike beacons and the Sliver framework are being dropped for hands-on-keyboard access and lateral movement (T1219 - Remote Access Software).
   • Infostealers: Malware such as BeaverTail and OtterCookie have been deployed to steal credentials and other sensitive data.
   • Botnet Malware: Automated attacks are installing Mirai-style malware to enlist compromised servers into DDoS botnets (T1583.003 - Acquire Infrastructure: Botnet).

MITRE ATT&CK Mapping

Impact Assessment

The business impact of a successful React2Shell exploit is critical. Attackers gain full control over the compromised web server, leading to:

• Complete Data Compromise: Theft of application data, customer information, intellectual property, and credentials stored on the server.
• Ransomware Deployment: The initial access can be sold to or used by ransomware groups to encrypt the server and move laterally across the network.
• Infrastructure Hijacking: Compromised servers are being absorbed into botnets for DDoS attacks, causing reputational damage and potential legal liability.
• Watering Hole Attacks: Attackers can modify the web application to serve malware to its visitors, compromising end-users and customers.

Given that an estimated 50% of vulnerable instances remain unpatched, the window of opportunity for attackers is massive. The involvement of sophisticated state-sponsored actors indicates targeted attacks against high-value organizations, while the automated botnet activity places all vulnerable servers at immediate risk.

Cyber Observables for Detection

Security teams should proactively hunt for signs of compromise. These are not confirmed IOCs but high-confidence observables for detection:

Detection & Response

• Web Application Firewall (WAF): Deploy WAF rules to inspect incoming HTTP requests for patterns associated with React2Shell exploits. Many vendors have already released emergency signatures.
• Log Analysis (D3-NTA: Network Traffic Analysis): Scrutinize web server access logs for unusual POST requests, especially to endpoints related to RSC (e.g., /_next/flight). Look for requests with large, complex bodies or those originating from known malicious IPs or Tor exit nodes.
• Endpoint Detection and Response (EDR): Monitor web server processes (e.g., node) for anomalous behavior, such as spawning shell commands (/bin/sh), network utilities (curl, wget), or writing executable files to disk.
• Threat Hunting: Proactively hunt for the cyber observables listed above. Use the presence of vulnerable frameworks as a starting point for deeper investigation.

If a compromise is suspected, immediately isolate the affected server from the network to prevent lateral movement. Preserve logs, memory dumps, and disk images for forensic analysis before restoring from a known-good backup.

Mitigation

1. Patch Immediately (D3-SU: Software Update): This is the most critical action. Upgrade all applications using React or frameworks like Next.js to the latest patched versions. Do not delay.
2. Apply Virtual Patching: If immediate patching is not feasible, use a WAF with up-to-date signatures to block exploit attempts as a temporary compensating control.
3. Network Segmentation (D3-NI: Network Isolation): Restrict outbound internet access from web servers. They should only be allowed to communicate with specific, approved external services. This can prevent malware from downloading second-stage payloads or communicating with C2 servers.
4. Reduce Attack Surface: If possible, place vulnerable applications behind a VPN or enforce client certificate authentication to restrict access, reducing exposure to automated scanning.
5. Regular Vulnerability Scanning: Continuously scan external and internal assets to identify vulnerable instances of React-based applications before attackers do.