Listen to this Post
Introduction:
React2Shell represents a catastrophic failure in modern web application security—a CVSS 10.0, unauthenticated remote code execution vulnerability embedded within the React Server Components (RSC) architecture. Affecting default configurations of React 19 and Next.js applications, this flaw allows attackers to execute arbitrary code on servers with a single malicious HTTP request, triggering a global security emergency. PortSwigger’s rapid integration of native detection into Burp Suite provides security teams with a critical tool for identifying exposure in real-time.
Learning Objectives:
- Understand the technical mechanism of the React2Shell vulnerability and its impact on the React Flight protocol.
- Learn how to configure and use Burp Suite’s ActiveScan++ and custom Bambda checks to detect vulnerable applications.
- Implement a comprehensive mitigation strategy, including immediate patching, system hardening, and threat hunting for post-exploitation activity.
- Deconstructing the Vulnerability: From Deserialization to Remote Code Execution
Step‑by‑step guide explaining what this does and how to use it.
The core of React2Shell is an insecure deserialization flaw in the React Flight protocol. This protocol serializes React component trees to communicate between client and server. When a Server Action is invoked, client-side data is serialized and sent to the server. The vulnerability exists because the server-side deserializer fails to properly validate incoming object keys.
An attacker can craft a malicious HTTP POST request containing a polluted payload. By injecting forbidden JavaScript properties like __proto__, constructor, or prototype, they achieve Server-Side Prototype Pollution. When the poisoned object is processed, it triggers a “gadget chain” that allows the execution of arbitrary system commands on the server, leading to full remote code execution without authentication.
Why This is Critical: Unlike vulnerabilities that require misconfiguration, this works on default, out-of-the-box installations of React 19 and Next.js. The attack vector is simple, and public proof-of-concept exploits have demonstrated near-100% reliability.
2. Weaponizing Burp Suite for React2Shell Detection
Step‑by‑step guide explaining what this does and how to use it.
Burp Suite Professional and DAST have been updated with built-in checks for React2Shell (CVE-2025-55182 and CVE-2025-66478). You have two primary methods for detection:
Method 1: Using ActiveScan++ (Recommended)
This is the simplest approach for integrated scanning.
- Update Extensions: Ensure you have ActiveScan++ version 2.0.8 or later installed.
- Configure Scan: The React2Shell check is enabled by default in new scans. If you have a custom scan configuration, verify the check is added under the relevant audit checks.
- Run and Review: Initiate an active scan against your Next.js target. Burp will automatically test for the vulnerability, and any findings will be reported in the Dashboard with critical severity.
Method 2: Importing a Custom Bambda Check
For targeted, on-demand testing of specific endpoints.
- Download the Bambda: Obtain the community-created `.bambda` file from the official PortSwigger source.
- Import into Burp Suite Pro: Navigate to
Extensions > Bambda library. ClickImport, select the downloaded `.bambda` file, and clickOpen. - Execute the Check: The custom check can now be run against selected requests from the site map or Repeater, providing focused validation.
3. Manual Detection and Environmental Analysis
Step‑by‑step guide explaining what this does and how to use it.
While automated tools are efficient, manual verification is essential for comprehensive audits and understanding your exposure.
Step 1: Identify Vulnerable Packages
SSH into your server or container and navigate to your application’s root directory.
Navigate to node_modules and list critical React RSC packages cd /path/to/your/app find ./node_modules -name "package.json" | xargs grep -l "react-server-dom-webpack|react-server-dom-parcel|react-server-dom-turbopack" | head -5
Check the versions of installed packages. You are vulnerable if you have:
`react-server-dom-` versions 19.0.0, 19.1.0, 19.1.1, or 19.2.0.
`next` versions within affected ranges (e.g., 15.0.0-15.0.4, 15.1.0-15.1.8, etc.).
Step 2: Analyze Network and System Logs
Search web server (e.g., Nginx, Apache) and application logs for exploitation signatures.
Search for common exploit patterns in recent logs sudo tail -1000 /var/log/nginx/access.log | grep -E '(next-action|rsc-action-id)' | grep POST sudo journalctl -u your-app-service --since "2025-12-01" | grep -i "500|Internal Server Error"
Look for anomalous processes spawned by the Node.js application, which is a strong indicator of compromise:
On Linux, monitor for child processes of Node ps aux | grep "node" | grep -v grep Check for unexpected shell or download commands from the Node PID sudo auditctl -w /bin/sh -p x -k react2shell_check
4. The Adversary’s Playbook: Post-Exploitation Activity
Step‑by‑step guide explaining what this does and how to use it.
Successful exploitation is never the end goal. Threat actors immediately leverage access for persistence, lateral movement, and data theft.
Initial Foothold & Discovery:
After code execution, attackers run commands to understand the environment:
Common reconnaissance commands observed whoami && id uname -a cat /etc/passwd env | grep -i "aws|azure|google|key|secret"
Payload Deployment & Persistence:
Actors deploy a range of malware, from cryptominers to advanced backdoors.
Cryptocurrency Miners: XMRig is widely deployed for financial gain.
Backdoors & Tunnels: Advanced actors deploy tools like MINOCAT (a tunneler), SNOWLIGHT (a downloader for the VSHELL backdoor), and HISONIC (a backdoor using cloud services for C2).
Persistence Mechanisms: Attackers create cron jobs, systemd services, modify shell config files (.bashrc, .zshrc), and install remote management tools like MeshAgent.
Credential Harvesting & Cloud Pivot:
A primary post-exploitation objective is stealing cloud and service credentials.
Commands to query cloud instance metadata services AWS curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance Azure curl -H "Metadata: true" http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/ Google Cloud curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
Attackers also use tools like TruffleHog and Gitleaks to scan for secrets in filesystems and Git repositories.
5. Eradication and Hardening: The Definitive Patching Guide
Step‑by‑step guide explaining what this does and how to use it.
Patching is the only complete remediation. Initial fixes were incomplete, so you must apply the latest definitive patches.
Step 1: Apply Framework-Level Patches
Update your dependencies to the secure versions. The required version depends on your current release line.
For Next.js, upgrade to the latest patched version for your major release:
Example: If you are on Next.js 15.1.x, upgrade to 15.1.11 npm install [email protected] For Next.js 15.0.x npm install [email protected] For Next.js 16.0.x npm install [email protected]
For React itself and the RSC libraries, ensure they are updated:
npm install react@latest react-dom@latest react-server-dom-webpack@latest Or, depending on your bundler: npm install react-server-dom-parcel@latest npm install react-server-dom-turbopack@latest
Crucial Note: You must update to versions that address all related CVEs:
CVE-2025-55182 (RCE): Fixed in React 19.0.1, 19.1.2, 19.2.1.
CVE-2025-55184 & CVE-2025-67779 (Denial of Service): Require subsequent patches.
CVE-2025-55183 (Source Code Exposure): Fixed in React 19.2.2+.
Step 2: Implement Compensating Controls
While patching, deploy Web Application Firewall rules to block exploit patterns. For example, in Azure WAF, create custom rules to block requests containing known malicious strings like `”$@”` and "__proto__".
Enable and review security alerts for related activity in your EDR, cloud security, and vulnerability management tools.
6. Hunting for Compromise in Your Environment
Step‑by‑step guide explaining what this does and how to use it.
Assuming a breach, you must hunt for indicators of compromise (IOCs).
Network Hunting:
- Scan for Outbound Calls: Identify calls to known malicious C2 domains or IPs associated with post-exploitation tools (e.g.,
.trycloudflare.com,reactcdn.windowserrorapis[.]com). - Analyze Payload Downloads: Look for `curl` or `wget` commands in logs downloading files from suspicious domains, especially to `/tmp/` or hidden directories like
$HOME/.systemd-utils.
Endpoint Hunting on Linux:
1. Look for hidden files/directories and unusual permissions
find / -name "." -type f -exec ls -la {} \; 2>/dev/null | grep -v "/proc/"
2. Check for malicious cron jobs or systemd services
crontab -l
systemctl list-unit-files --type=service | grep enabled
ls -la /etc/systemd/system/
3. Look for processes hiding in memory via memfd_create
ps aux | grep -i "memfd"
Endpoint Hunting on Windows:
1. Check for recently created or modified executable files in Temp directories
Get-ChildItem -Path $env:TEMP -Filter .exe -Recurse -Force | Where-Object {$<em>.CreationTime -gt (Get-Date).AddDays(-7)}
2. Look for anomalous child processes of node.exe
Get-WmiObject Win32_Process | Where-Object {$</em>.ParentProcessId -eq (Get-Process -Name node).Id} | Select-Object Name, ProcessId, CommandLine
What Undercode Say:
The Perimeter is Everywhere: React2Shell obliterates the traditional network perimeter. An innocuous, standard web application framework component becomes a direct conduit to server-side execution, proving that the application layer itself is the new primary attack surface.
Speed is the New Currency in Defense: The integration of detection into a tool like Burp Suite within days of the exploit’s spread is not just convenient—it’s a necessary evolution. The window between vulnerability disclosure and mass exploitation has shrunk to near zero, making automated, toolchain-integrated detection a non-negotiable component of modern AppSec.
Prediction:
React2Shell will have a long-tail impact akin to Log4Shell, persisting in shadows for years. While mass cryptomining campaigns will dominate initial headlines, the most significant damage will come from advanced persistent threat (APT) groups who have quietly embedded backdoors into vulnerable systems during the initial chaos. We predict a surge in cloud credential theft and software supply chain attacks originating from these compromised applications over the next 12-18 months. Furthermore, the flaw’s location in a core serialization protocol will inspire a wave of offensive research into similar deserialization bugs across other JavaScript and web assembly frameworks, extending this vulnerability’s legacy far beyond the React ecosystem.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Daniel Johnson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
