Listen to this Post

Introduction:
A critical vulnerability known as React2Shell (CVE-2025-55182) is being actively exploited in the wild, threatening countless React and Next.js applications with complete server takeover. With a maximum CVSS score of 10.0, this flaw in the React Server Components “Flight” protocol allows unauthenticated attackers to execute arbitrary code by sending a simple, malicious HTTP request. State-sponsored threat actors operationalized exploits within hours of disclosure, launching campaigns to steal credentials, deploy cryptominers, and establish backdoors.
Learning Objectives:
- Understand the technical mechanism of the React2Shell vulnerability and identify if your applications are at risk.
- Execute immediate patching procedures for React, Next.js, and affected frameworks.
- Implement detective and preventive controls to identify exploitation attempts and harden your environment against attack.
You Should Know:
- The Anatomy of a Critical Flaw: What is React2Shell?
The React2Shell vulnerability (CVE-2025-55182) is not a typical bug in application code, but a fundamental flaw in the React Server Components (RSC) “Flight” protocol, which handles communication between client and server. It is an unsafe deserialization vulnerability where the server incorrectly processes specially crafted RSC payloads. The exploit chains internal JavaScript objects to create a malicious promise-like structure; when the server’s deserialization logic automatically resolves this “promise,” it triggers the execution of attacker-controlled code.
Step-by-step guide explaining what this does and how to use it:
Step 1: Understand the Scope. This vulnerability affects the core `react-server-dom-` packages (versions 19.0, 19.1.0-1, 19.2.0) used for server-side rendering. Crucially, it impacts default configurations. A standard Next.js app created with `create-next-app` is vulnerable without any custom, insecure code from the developer.
Step 2: Identify Affected Frameworks. The vulnerability propagates to any framework or tool implementing RSC:
– Next.js (Primary Target): Versions 15.x, 16.x, and canary releases from 14.3.0-canary.77.
– Other Frameworks: React Router (RSC preview), Waku, RedwoodSDK, and bundler plugins for Vite and Parcel.
Step 3: Recognize the Attack Signature. Exploitation attempts are HTTP POST requests containing specific headers (next-action, rsc-action-id) and patterns in the body like `”$@”` or "status":"resolved_model".
2. Immediate Triage: Are You Vulnerable?
Before patching, you must identify all exposed assets. Wiz Research data indicates 39% of cloud environments contain vulnerable instances, with 44% of all environments having publicly exposed Next.js apps.
Step-by-step guide explaining what this does and how to use it:
Step 1: Manual Inventory Check. Examine your `package.json` files and build outputs.
Linux/macOS: Find package.json files and check for vulnerable versions
find . -name "package.json" -type f -exec grep -l "react-server-dom-webpack|react-server-dom-parcel|next" {} \;
Check installed versions in a project
npm list react-server-dom-webpack react-server-dom-parcel next
Step 2: Use Specialized Scanners. Leverage tools designed for this CVE.
– Online Scanner: Use the simple scanner mentioned in the original post: react2shellscanner . com.
– Burp Suite Professional/DAST: Ensure you have ActiveScan++ v2.0.8 installed, which includes dedicated React2Shell checks for Next.js apps.
– Dynamic Analysis with Dynatrace: Use Runtime Vulnerability Analytics or a custom DQL query to search for vulnerable software components across your estate.
Step 3: Review Logs for Scanning Activity. Check application and web server logs for the attack signatures mentioned above. Threat actors are conducting high-volume scans.
3. Critical Remediation: Patching Every Instance
There is no workaround. The only complete fix is to upgrade to patched versions. The React team released fixes in versions 19.0.1, 19.1.2, and 19.2.1 of the `react-server-dom-` packages.
Step-by-step guide explaining what this does and how to use it:
Step 1: Patch React Server Packages.
For non-Next.js React projects using RSC:
Update core React and the vulnerable server packages npm install react@latest react-dom@latest npm install [email protected] Or use the version corresponding to your major release (19.0.1, 19.1.2)
Step 2: Patch Next.js Applications. This is the most critical action. Next.js embeds the vulnerable code directly, so updating React alone is insufficient.
Upgrade to the latest patched version in your release line npm install [email protected] For 15.0.x npm install [email protected] For 15.1.x - 15.5.x npm install [email protected] For 16.0.x Use the official interactive patching tool npx fix-react2shell-next
Step 3: Patch Other Affected Frameworks. Follow framework-specific guidance:
– React Router: Upgrade React and related packages to latest.
– Waku: `npm install waku@latest react-server-dom-webpack@latest`
– Vite RSC Plugin: `npm install @vitejs/plugin-rsc@latest`
4. Cloud and Runtime Hardening
Patching takes time. Implement immediate, compensatory controls to protect unpatched systems while remediation is underway.
Step-by-step guide explaining what this does and how to use it:
Step 1: Deploy AWS WAF Rules. If using AWS, the `AWSManagedRulesKnownBadInputsRuleSet` (v1.24+) includes rules for this CVE. For other WAFs, create a custom rule to block HTTP requests containing the attack pattern `”status”:”resolved_model”` in the POST body.
Step 2: Harden Server Configuration. Restrict the Node.js process’s capabilities.
Linux: Run the Node process with minimal privileges Use a non-root user useradd -r -s /bin/false nodeapp Capabilities can be further limited with tools like capsh or container security profiles
Step 3: Rotate All Secrets. If an application was exposed on the internet while unpatched, assume compromise. Rotate all credentials: database passwords, API keys, cloud access keys, and environment variables.
5. Hunting for Exploitation and Post-Compromise Activity
Threat actors are not just scanning; they are achieving full RCE and moving laterally. Post-exploitation activities observed include credential harvesting from environment variables and the filesystem, and deployment of cryptominers like XMRig and the Sliver C2 framework.
Step-by-step guide explaining what this does and how to use it:
Step 1: Host-Based Indicator Hunting. Search servers for evidence of execution.
Linux: Check for suspicious processes and file creations ps aux | grep -E '(whoami|id|uname|curl|wget|sh -i)' | grep -v grep find /tmp /var/tmp -name ".txt" -o -name ".sh" -o -name "pwned" -type f 2>/dev/null Review shell history for all users for user in $(ls /home); do echo " $user "; tail -50 /home/$user/.bash_history 2>/dev/null; done
Step 2: Log-Based Detection. Ingest process execution logs (e.g., from Tetragon, auditd) into a SIEM and create alerts for suspicious child processes spawned from Node.js.
Example SIEM query logic (pseudocode)
process.parent.name == "node" AND process.name IN ("sh", "bash", "curl", "wget", "whoami", "id")
Step 3: Cloud Metadata & Credential Monitoring. Use cloud security tools to detect unusual calls to instance metadata services (e.g., AWS’s 169.254.169.254) or anomalous access patterns for cloud access keys, which may indicate exfiltration.
6. Building Long-Term Resilience for Your React Stack
This vulnerability highlights systemic risks in modern JavaScript frameworks. Adopt a secure-by-default development posture.
Step-by-step guide explaining what this does and how to use it:
Step 1: Integrate Security Testing. Shift left.
- SAST/SCA: Use tools like Corgea to flag unsafe patterns and vulnerable dependencies in CI/CD.
- DAST: Integrate Burp Suite DAST into pipelines for continuous scanning.
Example: Run npm audit as part of the CI pipeline npm audit --audit-level=critical
Step 2: Adopt Secure Coding Practices. Enforce React security best practices:
- Never use `dangerouslySetInnerHTML` on unsanitized user input.
- Validate and sanitize URLs before rendering.
- Keep dependencies, especially React and Next.js, consistently updated.
Step 3: Implement Robust Logging and Monitoring. Ensure all RSC-related endpoints and server-side actions are logged. Monitor for the absence of expected logs, which could indicate a killed process or blocked service.
7. Incident Response Preparation
Given the active exploitation, prepare your incident response (IR) playbook for this specific threat.
Step-by-step guide explaining what this does and how to use it:
Step 1: Pre-Identify Critical Assets. Maintain a real-time inventory of all internet-facing Next.js and React applications. Know their versions and owners.
Step 2: Create a Containment Playbook. Have step-by-step actions ready:
1. Network Containment: Isolate affected servers via security groups or firewall rules.
2. Forensic Image: Capture memory and disk images of potentially compromised systems.
3. Credential Rotation: Execute the planned secret rotation procedure.
Step 3: Establish Threat Intelligence Feeds. Monitor sources like the CISA KEV catalog (where this CVE is listed), AWS Security Bulletins, and vendor advisories for new IOCs and TTPs related to React2Shell.
What Undercode Say:
- The Vulnerability Window is Now Instantaneous. The timeline from public PoC release to exploitation by sophisticated state-nexus groups was measured in hours, not days. This shatters traditional patch timelines and demands automated, pre-emptive detection and response capabilities.
- Default Configuration is the New Attack Surface. The most alarming aspect is that a standard, unmodified `create-next-app` project was vulnerable. This means developers can inadvertently deploy critically vulnerable applications by following standard tutorials, placing immense responsibility on framework maintainers and shifting security left to the software supply chain.
Analysis:
React2Shell represents a paradigm shift in the threat landscape for modern web applications. Its impact is amplified by the sheer popularity of React and Next.js, the criticality of the flaw (CVSS 10.0), and the trivial effort required for exploitation. The observed post-exploitation behavior—credential harvesting and cryptomining—suggests that while initial attacks may be automated and opportunistic, they provide a firm foothold for more severe, targeted breaches. The involvement of groups like Earth Lamia and Jackpot Panda indicates that geopolitical cyber campaigns are immediately incorporating such high-value vulnerabilities into their arsenals. This event is a stark reminder that the security of foundational web frameworks is now a matter of national and organizational critical infrastructure.
Prediction:
The React2Shell vulnerability will follow a trajectory similar to Log4Shell, becoming a perennial entry point in attacker playbooks for years to come. We will see: 1) Weaponization in Ransomware Campaigns: Ransomware groups will incorporate this exploit for initial access, leading to widespread data encryption and extortion. 2) Botnet Consolidation: Compromised servers will be absorbed into large-scale botnets for DDoS and proxy networks. 3) Supply Chain Attacks: Attackers will use access to vulnerable development or build servers to inject malware into software artifacts, spreading the compromise to downstream users. The legacy of vulnerable, unpatched internet-facing React applications will create a long-tail security risk that defenders will be hunting for well into the future.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Hackersatyamrastogi React2shell – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


