Listen to this Post
Introduction:
A critical unauthenticated remote code execution vulnerability in React Server Components, designated CVE-2025-55182 and dubbed “React2Shell,” possesses a maximum CVSS score of 10.0. This vulnerability weaponizes the insecure deserialization of the Flight protocol, allowing an attacker to execute arbitrary code on a vulnerable server with a single, malicious HTTP POST request. In a concerning development, sophisticated threat actors have automated this exploitation at an unprecedented scale, utilizing Telegram bots for real-time hit tracking and AI tooling to orchestrate a campaign that has resulted in over 900 confirmed compromises.
Learning Objectives:
- Understand the technical mechanics of React2Shell and its exploitation via the Flight protocol.
- Analyze the operational structure of the “Bissa scanner” platform, including its AI-assisted workflow and Telegram-based notification system.
- Identify and apply critical patch management, network detection, and system hardening commands to protect against and respond to this threat.
You Should Know:
- Anatomy of the Attack: The AI-Assisted Bissa Scanner Campaign
An exposed server, acting as a command center, has revealed the sophisticated inner workings of a mass exploitation campaign dubbed “Bissa scanner.” Unlike opportunistic scanning, this platform was designed for structured, at-scale exploitation, staging, and validation. At its core was a dedicated module for React2Shell, which scanned millions of internet-facing targets to automatically confirm successful exploitation. The operator, using the public Telegram identity @BonJoviGoesHard, integrated AI assistance using Code and a tool called OpenClaw to troubleshoot, refine, and manage the complex exploitation pipeline.
The campaign’s efficiency was significantly heightened by its real-time tracking system. Runner scripts within the Bissa scanner harness were hardcoded with a Telegram bot token linked to the bot @bissapwned_bot. Each time the scanner confirmed a successful exploit, the bot dispatched a structured alert to the attacker’s private Telegram chat. This allowed the single operator to triage hundreds of breaches in near real-time from a messaging app, collecting vast amounts of credentials from compromised `.env` files, including keys for AWS, AI providers, and payment systems.
Step‑by‑Step Guide: How to Simulate and Detect Exploitation Attempts (Authorized Testing Only)
This guide is for educational and defensive purposes, using proof-of-concept tools to understand the attack.
Step 1: Set up a controlled, vulnerable test environment (e.g., a local Next.js app).
Step 2: Use an educational interactive shell to understand payload crafting.
The `react2shell-interactive` tool reveals the complexity of the exploit chain:
Clone and install the interactive PoC for educational research git clone https://github.com/NathanJ60/react2shell-interactive.git cd react2shell-interactive npm install Edit 'exploit.js' to set your TARGET_URL to your local test server node exploit.js
The tool provides commands like !test, !env, and shell commands (e.g., whoami) to demonstrate the RCE capabilities of CVE-2025-55182.
Step 3: Use a bulk scanner to understand the scale of automated exploitation.
The `React-Security-CVE-2025-55182-Exploit` script provides a lightweight PoC and scanner:
Clone the repository git clone https://github.com/sangleshubham/React-Security-CVE-2025-55182-Exploit.git cd React-Security-CVE-2025-55182-Exploit Scan a single target (ONLY use on your own systems) node react2shell.js http://localhost:3000 id Scan multiple targets from a file (ONLY use on your own systems) node react2shell.js http://localhost:3000 http://staging.example.com ls
This script uses advanced techniques like prototype pollution and redirect smuggling to reliably execute commands and exfiltrate output.
2. Hardening Your Defenses: A Proactive Mitigation Strategy
Given the active exploitation of CVE-2025-55182, immediate action is required. The vulnerability stems from insecure deserialization in React Server Components packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) and impacts React 19.x and frameworks like Next.js. The core of remediation involves upgrading all affected packages and rebuilding your application from a clean state.
Step‑by‑Step Guide: Remediating React2Shell
Step 1: Identify and update vulnerable packages to secure versions.
Users should upgrade the affected packages to versions 19.0.2, 19.1.3, or 19.2.2 or higher. Next.js users need to upgrade to 15.0.5 or later for the 15.x branch.
Update core React packages npm install react@latest react-dom@latest Update specific server DOM packages npm install react-server-dom-webpack@latest npm install react-server-dom-parcel@latest npm install react-server-dom-turbopack@latest If you are using Next.js npm install next@latest
Step 2: Perform a clean rebuild of your application to eliminate any residual compromised artifacts.
This ensures that old, vulnerable dependencies are completely removed.
Clear the npm cache npm cache clean --force Remove the node_modules directory and package-lock.json rm -rf node_modules package-lock.json Perform a clean install using npm ci (preferred for CI/CD) npm ci Alternatively, use npm install for a fresh dependency tree npm install Rebuild the application completely npm run build
Following these steps, deploy the updates to all affected environments immediately.
3. Network and Endpoint Detection: Identifying React2Shell Footprints
Because patching can be complex, robust detection and monitoring are critical for identifying active exploitation attempts or post-compromise behavior.
Step‑by‑Step Guide: Monitoring for Indicators of Compromise (IOCs)
Step 1: Implement Web Application Firewall (WAF) rules to detect and block malicious Flight payloads.
As a temporary measure while patching, enable WAF rules that inspect for patterns associated with React2Shell exploitation. A specific detection rule, CORELIGHT EXPLOIT Next.js RSC RCE Exploit Attempt (CVE-2025-55182), identifies precise signatures like `[“$1:a:a”]` in request payloads.
Step 2: Monitor application logs for suspicious child processes.
Successful exploitation often results in a Node.js server process spawning an unusual child process. The Splunk detection `Linux Suspicious React or Next.js Child Process` is a strong indicator of compromise. Hunt for any instances of bash, sh, cmd.exe, or `powershell.exe` being spawned from a React or Next.js application server.
Step 3: Use specialized detection toolkits to scan your environment.
Tools like the `flight-risk` security toolkit allow for comprehensive scanning of GitHub orgs and GCP projects for vulnerable dependencies, and log correlation to pinpoint the exact HTTP request that triggered an RCE error.
Clone the flight-risk toolkit git clone https://github.com/joaoreis13/flight-risk.git cd flight-risk Install dependencies pip install -r react2shell-scanner/requirements.txt Perform a safe vulnerability detection on a target python3 react2shell-scanner/cli.py https://your-app.example.com Execute authorized command execution test (ONLY on your own systems) python3 react2shell-scanner/cli.py --method exec-cmd https://your-app.example.com "id"
- Post-Compromise Response: What to Do if You’re Breached
If you suspect that React2Shell has been successfully exploited in your environment, a rapid and structured response is necessary to contain the damage.
Step‑by‑Step Guide: Incident Response for React2Shell
Step 1: Immediately isolate the affected systems from the network to prevent further lateral movement or data exfiltration.
Step 2: Conduct a forensic audit of the compromised server. Focus on:
– Web Shells and Modified Files: Scan for any new, unfamiliar scripts or modified files in application directories.
– Outbound Connections: Analyze network traffic for unusual outbound connections to IP addresses not associated with normal application functionality.
– New User Accounts: Check for the creation of unauthorized user accounts with elevated privileges.
Step 3: Rotate all credentials and secrets.
Given that the Bissa scanner specifically harvested `.env` files for sensitive data, assume all environment variables, including API keys, database passwords, and cloud access tokens, are compromised. Revoke and rotate these secrets immediately.
Step 4: Implement the complete patching and hardening guide in Section 2 on a clean, rebuilt system before redeployment.
What Undercode Say:
- One breach, many tools: The React2Shell campaign perfectly illustrates the modern threat landscape: a single, high-impact vulnerability (CVE-2025-55182) combined with automated tooling (Bissa), real-time collaboration platforms (Telegram), and AI-assistance to execute a devastating campaign with minimal operator overhead.
- Shift in monitoring priorities: Defenders must look beyond simple vulnerability scanning and focus on runtime detection. Monitoring for anomalous child processes originating from your web-server process is no longer optional; it’s a critical control for identifying web application RCE in real time.
Prediction:
This campaign is likely a prototype for future mass-exploitation frameworks. The integration of AI agents for troubleshooting and orchestration will lower the bar for entry-level threat actors while dramatically increasing the speed and scale of advanced attacks. Expect to see more “exploit-as-a-service” platforms that commodity entire attack chains—from scanning to post-exploitation data staging—with Telegram bots used as low-cost, anonymous C2 channels. The next evolution will feature AI agents that can autonomously adapt exploits in real-time based on the target’s defensive responses.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
