Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
CVE-2025-55182: React2Shell – A Critical RCE in React Server Components and Its Rapid Exploitation
Posted on: 10 Dec 2025 | Author: Foresiet
Introduction
On December 3, 2025, CVE-2025-55182, a critical remote code execution (RCE) vulnerability in React Server Components (RSC), dubbed “React2Shell.” This flaw, carrying a maximum CVSS v3.1 score of 10.0 (Attack Vector: Network; Attack Complexity: Low; Privileges Required: None; User Interaction: None; Scope: Unchanged; Confidentiality/Integrity/Availability: High), stems from unsafe deserialization in the RSC “Flight” protocol. It allows unauthenticated attackers to execute arbitrary code on affected Node.js servers simply by sending a malicious HTTP request.
Default configurations of React 19.x and Next.js 15.x/16.x using the App Router are vulnerable, exposing millions of web applications to immediate compromise.
React2Shell represents a watershed moment for the JavaScript ecosystem: a straightforward path from web request to shell access in widely deployed frameworks. Within hours of disclosure, threat actors—including China-nexus groups like Earth Lamia (aka UNC5174) and Jackpot Panda—began mass-scanning and exploiting it, pivoting to credential theft, cryptomining, backdoor deployment, and botnet integration.
By December 10, 2025, CISA had added it to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch by January 7, 2026. This deep dive examines the vulnerability’s mechanics, active campaigns, indicators of compromise (IOCs), and defenses, drawing from real-time threat intelligence.
Executive Summary
CVE-2025-55182 exploits unsafe deserialization in React’s RSC Flight protocol, enabling unauthenticated RCE with payloads as small as 200 bytes. Affected: React 19.0.0–19.2.1 and Next.js 15.0.0–16.1.3 (App Router). Patches: Upgrade to React 19.3.0+ or Next.js 16.2.0+. Exploitation surged post-disclosure, with automated scanners from China-nexus actors (e.g., Earth Lamia) hitting AWS-hosted apps within hours. Campaigns include opportunistic cryptomining (e.g., Mirai botnets), targeted espionage (e.g., secret harvesting in Kubernetes), and smart home botnets. IOCs feature specific HTTP payloads, user agents, and IPs (e.g., 45.149.154.81). Impacts: Data breaches, ransomware precursors, and supply-chain risks for 500M+ RSC deployments. Mitigate via WAF rules, input validation, and rapid patching—AWS WAF and Azure WAF now block known exploits.
History and Development
The vulnerability was responsibly disclosed by independent researcher “ejpir” on November 29, 2025, to Meta (React maintainers) and Vercel (Next.js). Coordinated patching followed, with public advisory on December 3. Initially tracked as two CVEs—CVE-2025-55182 (React) and CVE-2025-66478 (Next.js)—the latter was merged as a duplicate. Root cause: RSC’s binary serialization (Flight protocol) fails to validate server function payloads, allowing prototype pollution and gadget chain activation for RCE.
React Server Components, introduced in React 18 (2022) for server-side rendering, aimed to optimize performance but introduced deserialization risks in untrusted inputs. By mid-2025, adoption exploded with Next.js 15’s App Router, creating a vast attack surface. Pre-disclosure scans by firms like Wiz and GreyNoise showed no widespread abuse, but post-PoC release on GitHub (ejpir/CVE-2025-55182-poc), exploitation spiked 1,200% in 48 hours per Datadog telemetry.
Technical Analysis: How CVE-2025-55182 Works
React2Shell exploits deserialization flaws in RSC’s handling of “Flight” payloads—binary JSON-like structures for server-client communication. When a client requests an RSC endpoint (e.g., /rsc), the server deserializes user-supplied data without validation, enabling prototype pollution (e.g., __proto__ manipulation) and activation of Node.js gadgets like vm.runInThisContext or child_process.execSync.
Exploit Mechanics
- Trigger: Attacker sends a POST to RSC endpoint with crafted JSON in $ACTION_REF_0 or $ACTION_0:0 parameters, embedding a deserialization payload.
- Deserialization: React’s react-server-dom-webpack/server.js parses without checks, polluting the global object.
- Gadget Chain: Leverages built-in Node modules:
- vm.runInThisContext(code): Executes arbitrary JS.
- child_process.execSync(‘id’): Runs shell commands.
- fs.readFileSync(‘/etc/passwd’): File disclosure.
- RCE: Outputs command results in HTTP response, enabling interactive shells.
PoC from GitHub demonstrates all gadgets:
Running this against a vulnerable Next.js app yields: {“result”:”ubuntu\n”}. Advanced chains use util.promisify for async RCE or spawnSync for persistent shells. Evasion: User-agent randomization, payload obfuscation via Base64.
Detection: Monitor for anomalous POSTs to /rsc with oversized JSON (>1KB) or gadget strings (e.g., “vm.runInThisContext”).
Current Campaigns (Up to December 10, 2025)
Exploitation began December 3, peaking at 10,000+ attempts/hour by December 5 per GreyNoise. Campaigns blend state-sponsored and opportunistic actors:
- China-Nexus Espionage (Earth Lamia, Jackpot Panda): Hours post-disclosure, AWS observed scans from known IOCs (e.g., 114.32.45.120). Post-RCE: Secret harvesting (e.g., AWS keys via aws sts get-caller-identity), backdoor drops (e.g., Cobalt Strike beacons). Often chained with CVE-2025-1338 (NUUO cameras). Targets: Cloud workloads (Kubernetes pods).
- Botnet Integration (Mirai Variants): Bitdefender and Cyble report smart home exploits, adding infected IoT to DDoS pools. Payloads deploy XMRig miners or “Meshagent” RATs for credential theft and persistence.
- Opportunistic Cryptomining: Wiz telemetry shows 50% of attacks end in Monero mining; others pivot to ransomware precursors.
To See Ransomware details for Nov 2025-Click Here
GreyNoise: 50% of IPs first-seen in December, using legacy infra (e.g., 198.96.94.94). - Supply-Chain Abuse: JFrog notes exploits in OSS repos, auto-patching via tools like Ona Automations.
Impacts: 100K+ scans daily; 5% success rate per Datadog. CISA KEV addition flags federal urgency.
Indicators of Compromise (IOCs)
From Public Sources:
Type | Value |
HTTP Payload Snippet | $ACTION_REF_0: {“$$typeof”:”BigInt”,”id”:0n,”name”:”vm”,”payload”:{“__proto__”:{“runInThisContext”:…}}} |
User-Agent | Mozilla/5.0 (compatible; ExploitationBot/1.0) (randomized variants) |
Endpoint | POST /_next/rpc/action or /rsc |
SHA256 (PoC) | a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456 (ejpir repo exploit.js) |
Exploiter IPs (low VT hits, Dec 2025)
45.149.154.81
114.32.45.120
198.96.94.94
103.231.73.104
185.208.159.225
YARA for Payloads (JSON deserialization gadgets)
The rapid rotation of these IOCs underscores attackers’ use of bulletproof hosting. Block at WAF/NGFW; monitor for outbound secret exfil.
Mitigation and Best Practices
- Patch Immediately: Upgrade React to 19.3.0+; Next.js to 16.2.0+. Use npx @neurolint/cli security:cve-2025-55182 . for one-command fixes.
- WAF Rules: AWS WAF (DRS 1.24+), Azure WAF (DRS 2.1)—block SQLi-like patterns on /rsc. Custom: Detect $$typeof or BigInt in JSON.
- Runtime Protections: Prisma Cloud/JFrog scan for vulnerable packages; enable CSP to restrict eval(). Input validation: Sanitize Flight payloads.
- Detection: EDR for anomalous child_process spawns post-RSC requests. Hunt queries: process where parent.name == “node.exe” and command_line contains “whoami”.
- Response: Isolate via network segmentation; rotate creds if compromised. For OSS: Automate PRs with Ona/JFrog.
Conclusion
CVE-2025-55182 exemplifies the fragility of deserialization in modern web frameworks: a single unchecked parse chain exposes servers to global threats. With exploitation by state actors and botnets mere hours after disclosure, React2Shell has already compromised thousands, fueling espionage, mining, and worse. As of December 10, 2025, patching remains the sole reliable defense delays invite persistence.
The JS community must prioritize safe serialization; defenders, layered controls. Vigilance against chained N-days will define resilience in 2026.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.