Contextualize Prioritize and ACT ON RISK
Login
Get Access
Demo

blog

React2Shell CVE-2025-55182 Exploitation update, In-the-Wild Abuse, and the Patch-Again Reality

react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, react-server-dom-webpack vulnerability, react-server-dom-turbopack vulnerability, react-server-dom-parcel vulnerability, cve-2025-55184, cve-2025-67779, cve-2025-55183, react server components dos, react server functions source code exposure, react rsc dos, next.js 13 dos vulnerability, next.js 14 dos vulnerability, patch again react2shell, react2shell exploitation in the wild, react2shell iocs, react2shell scanner, detect react2shell, react2shell mitigation, react2shell patch guidance, react2shell vulnerable versions, react2shell fixed versions, react2shell rce detection, react2shell waf rules, react2shell incident response, react2shell post exploitation, xmrig after react2shell, cloud credential harvesting react2shell,

There are tons of articles that describe CVE-2025-55182 (React2Shell), and we have an analysis of the first attack originally named Freight Night, then followed up on and official name React2Shell. This article focuses on the technical anomalies, how attackers can leverage the vulnerabilities, and how they could combine the follow-on vulnerabilities  (CVE-2025-55184, CVE-2025-67779, CVE-2025-55183).

TL;DR for engineering teams

  • What it is: Unauthenticated remote code execution in React Server Components deserialization, tracked as CVE-2025-55182 (React2Shell) with CVSS 10.0.
  • Where it bites: RSC stacks using the vulnerable packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack.
  • Why it spread quickly: Next.js App Router makes the RSC path widely accessible; defenders saw immediate probing waves after public PoCs circulated.
  • Patch status (two phases):
    • RCE fixed: upgrade to 19.0.1 / 19.1.2 / 19.2.1 for the affected react-server-dom-* packages.
    • Follow-ups fixed: upgrade again to 19.0.3 / 19.1.4 / 19.2.3 to cover CVE-2025-55184, CVE-2025-67779, CVE-2025-55183. The interim patch releases were incomplete.

Determine if You’re Affected by react2shell CVE-2025-55182

How to detect if you are affected by react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, react-server-dom-webpack vulnerability, react-server-dom-turbopack vulnerability, react-server-dom-parcel vulnerability, cve-2025-55184, cve-2025-67779, cve-2025-55183, react server components dos, react server functions source code exposure, react rsc dos, next.js 13 dos vulnerability, next.js 14 dos vulnerability, patch again react2shell, react2shell exploitation in the wild, react2shell iocs, react2shell scanner, detect react2shell, react2shell mitigation, react2shell patch guidance, react2shell vulnerable versions, react2shell fixed versions, react2shell rce detection, react2shell waf rules, react2shell incident response, react2shell post exploitation, xmrig after react2shell, cloud credential harvesting react2shell, ASPM, Phoenix Security, Exploitation methods, Application Security Posture Management

Use this as a fast triage checklist for application security and vulnerability management teams.

  1. Do you run React on a server with RSC enabled?
    • If you do server-rendered React and RSC is in play, assume yes.
      Search your lockfiles for the vulnerable packages and versions
      – Scan with Phoenix Security Scanner (SCA+SBOM Scanner, or Open Source Scanner), or External Scanner (Phoenix Open Source or Phoenix EASM) 
    • react-server-dom-webpack
    • react-server-dom-parcel
    • react-server-dom-turbopack
  2. Confirm whether your framework bundles the server implementation
    • Next.js is the obvious one, but RSC-capable stacks and plugins can carry these dependencies indirectly.
  3. Map exposure
    • Identify which services expose RSC-related endpoints externally (this happens automatically with Phoenix-Security)
    • Prioritize public-facing workloads, then internal apps reachable from untrusted networks.
  4. How ASPM can help remediate and identify who owns which vulnerability
  • Correlate the vulnerable component to runtime deployments, owners, and routes. If you cannot answer “where is this running,” you are already behind. 
  • Attribute the right vulnerability to the right owner 
  • Configure a campaign or download one to trace the remediation, prioritize externally exposed systems, and then go to internally exposed systems 

Technical anatomy of react2shell CVE-2025-55182

react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, react-server-dom-webpack vulnerability, react-server-dom-turbopack vulnerability, react-server-dom-parcel vulnerability, cve-2025-55184, cve-2025-67779, cve-2025-55183, react server components dos, react server functions source code exposure, react rsc dos, next.js 13 dos vulnerability, next.js 14 dos vulnerability, patch again react2shell, react2shell exploitation in the wild, react2shell iocs, react2shell scanner, detect react2shell, react2shell mitigation, react2shell patch guidance, react2shell vulnerable versions, react2shell fixed versions, react2shell rce detection, react2shell waf rules, react2shell incident response, react2shell post exploitation, xmrig after react2shell, cloud credential harvesting react2shell, ASPM, Phoenix Security, Exploitation methods, Application Security Posture Management

React Server Components use the Flight protocol to serialize structured data across the client/server boundary. The vulnerable path is the server-side decode step: it accepts attacker-controlled payloads and resolves references in a way that lets a hostile object graph reach runtime primitives that were never meant to be reachable from untrusted input.  

Exploiting React2Shell (CVE-2025-55182) is a path in three moves (conceptual)

  1. Object-graph injection: the attacker feeds the decoder “chunk-like” structures that resemble internal state and reference each other.
  2. Thenable coercion: the graph is shaped to trigger Promise-like handling so decoder control flow follows attacker-controlled property resolution.
  3. Runtime primitive reachability: property resolution reaches a code-construction primitive (the Function constructor class), turning “decoded data” into executable behavior.

What to look for in logs if you are affected by React2Shell (CVE-2025-55182)

  • Requests that hit Server Functions / Server Actions or RSC endpoints and contain Flight-style reference markers that do not resemble normal app traffic.
  • Repeated attempts across many hosts sharing the same request template (see the boundary-string pivot in the in-the-wild section).

If you want the full gadget-chain mechanics, link out to a deep dive instead of embedding payloads in the post.

React’s advisory calls out the heart of the issue plainly: an attacker can craft a malicious request that, once deserialized, results in unauthenticated RCE, even when the app has no explicit Server Function endpoints, as long as it supports RSC. 

The exploit, being a remote code execution triggers with a minimal payload, below are some examples of attacks (Minimum Viable Exploit)

  0: {
status: “resolved_model”,
reason: -1,              
_response: {
  _prefix: “console.log(‘RCE’)//”,   
  _formData: { get: “$1:then:constructor” }, 
},
then: “$1:then”,         
value: ‘{“then”:”$B”}’,  
  },
  1: “$@0”,                  
}

FieldPurposeJunior-Friendly Explanation
status: “resolved_model”Trigger initialization“Initialization Trigger”
reason: -1Prevent crashTechnical workaround to avoid toString() error
_prefixMalicious codeThe actual command that runs on the server
_formData.getCode execution gadgetPoints to Function() so we can create new functions
thenAutomatic triggerMakes JavaScript call our code via await
valueAttack payloadContains $B which triggers the blob handler
1: “$@0”Self-referenceCreates the loop that exposes internal objects

There is a significant payload that delivers commands and enables exfiltration left on the servers (sex.sh and variants). 

sex.sh, react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, react-server-dom-webpack vulnerability, react-server-dom-turbopack vulnerability, react-server-dom-parcel vulnerability, cve-2025-55184, cve-2025-67779, cve-2025-55183, react server components dos, react server functions source code exposure, react rsc dos, next.js 13 dos vulnerability, next.js 14 dos vulnerability, patch again react2shell, react2shell exploitation in the wild, react2shell iocs, react2shell scanner, detect react2shell, react2shell mitigation, react2shell patch guidance, react2shell vulnerable versions, react2shell fixed versions, react2shell rce detection, react2shell waf rules, react2shell incident response, react2shell post exploitation, xmrig after react2shell, cloud credential harvesting react2shell, ASPM, Phoenix Security, Exploitation methods, Application Security Posture Management

The attacker’s broader toolset includes this reconnaissance command for target identification, separate from the post-exploitation dropper, sex.sh.”

MD5: ddbbd528c3d0bcdd39617676c85dde33
Active Since: 15th October 2025
IP: 209.141.49.251

Commands

waybackurls $1 | grep “_next/static” | cut -d “/” -f1,2,3 | sort -u | uniq | tee -a next_target.txt

Exploit Example, CVE-2025-55182, CVE-2025-66478, React2Shell, React4Shell, React Server Components vulnerability, RSC Flight vulnerability, Next.js RCE, React RCE, Next.js App Router vulnerability, Next.js Server Actions vulnerability, server-side prototype pollution, prototype pollution RCE, remote code execution Next.js, remote code execution React, Next-Action header exploit, rsc-action-id header exploit, multipart/form-data exploit, indicators of compromise, React2Shell IOCs, CVE-2025-55182 IOCs, exploitation timeline, Shodan React systems, Shodan Next.js systems, patch Next.js, upgrade Next.js 15.0.5, upgrade Next.js 16.0.7, patched Next.js versions, patched React versions 19.0.1 19.1.2 19.2.1, npx fix-react2shell-next, AWS WAF React2Shell, AWSManagedRulesKnownBadInputsRuleSet, ReactJSRCE_BREAKGLASS_BLOCK, Google Cloud Armor cve-canary, google-mrs-v202512-id000001-rce, Azure WAF custom rule cve202555182, Azure Front Door WAF, Azure Application Gateway WAF, WAF mitigation, ASPM, application security posture management, vulnerability management, reachability analysis, code-to-cloud traceability, campaign-based remediation

PoC and exploit demonstration example

available in the Lab

Core behaviours for React2Shell (CVE-2025-55182)

What the exploit needs

  • A reachable endpoint that triggers RSC/Server Function decode logic (framework-managed or custom).
  • A vulnerable react-server-dom-* package version in the 19.x line listed below.

What the exploit does

  • Forces the decoder to resolve a chain of attacker-controlled references.
  • The chain is engineered so that a “getter” becomes a call into Function(…), with the payload providing the JavaScript source to compile and run.

Why is the impact maximal

Once arbitrary JavaScript runs inside the Node.js server process, it inherits whatever that process can reach:

  • environment variables
  • filesystem secrets and configs
  • cloud metadata endpoints
  • outbound network access to call home or stage tooling

Wiz and AWS both documented real post-exploitation that matches that reality: credential harvesting, metadata access attempts, and persistent backdoors in cloud workloads. 

Get a Free Posture assessment today

Assess my posture

Affected Versions for React2Shell (CVE-2025-55182) and CVE-2025-55184, CVE-2025-67779, CVE-2025-55183

React packages (CVE-2025-55182 RCE)

Vulnerable versions include 19.0, 19.1.0, 19.1.1, 19.2.0 for:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

RCE fixes were introduced in:

  • 19.0.1
  • 19.1.2
  • 19.2.1

Next.js downstream impact

Next.js is impacted when it reaches the vulnerable RSC flow (notably App Router lines referenced in vendor advisories). 

Independent advisory tracking also notes Next.js 13.x / 14.x stable and Pages Router are not affected by the RCE path. 

Scale and install base

This landed hard because React and Next.js sit on a massive distribution base: tens of millions of weekly npm downloads for each were cited in public reporting. Visibility studies also found vulnerable React/Next.js versions present in a large share of cloud environments under observation.

Other Vulnerabilities

In case you missed patching React components,you’re in “luck” there are more vulnerabilities being disclosed.  The ecosystem got hit with follow-ups right after the RCE fire drill.

  • CVE-2025-55184 (High, CVSS 7.5): Denial of Service (reported by RyotaK)
  • CVE-2025-67779 (High, CVSS 7.5): Denial of Service variant; the first DoS fix missed an edge case (found internally by the React team)
  • CVE-2025-55183 (Medium, CVSS 5.3): Source code exposure of Server Functions (reported by Andrew MacPherson)

React’s follow-up post is blunt on the operational reality: earlier patches are vulnerable, and fixes were backported to 19.0.3 / 19.1.4 / 19.2.3

This is a familiar pattern for high-profile issues: once the code path is under a microscope, variants show up fast. React explicitly points to the Log4Shell follow-up wave as the same phenomenon.

Campaign to identify if your libraries are affected by the react2shell CVE-2025-55182, CVE-2025-66478 in Phoenix security ASPM

Leverage the Phoenix Security SCA Scanner to identify the vulnerability blast radius 

Scan with the Git automatic scanner or pull the repo individually (finding can be synced to Phoenix using –enable-phoenix and modifying the config:

react2shell-cve2025-55182-campaign-config v3Download

Leverage Phoenix Security Filters and the campaign method to update/ retrieve the new vulnerabilities, or import those two files

Phoenix Campaign, Phoenix Security, CVE-2025-55182, CVE-2025-66478, React2Shell, React4Shell, React Server Components vulnerability, RSC Flight vulnerability, Next.js RCE, React RCE, Next.js App Router vulnerability, Next.js Server Actions vulnerability, server-side prototype pollution, prototype pollution RCE, remote code execution Next.js, remote code execution React, Next-Action header exploit, rsc-action-id header exploit, multipart/form-data exploit, indicators of compromise, React2Shell IOCs, CVE-2025-55182 IOCs, exploitation timeline, Shodan React systems, Shodan Next.js systems, patch Next.js, upgrade Next.js 15.0.5, upgrade Next.js 16.0.7, patched Next.js versions, patched React versions 19.0.1 19.1.2 19.2.1, npx fix-react2shell-next, AWS WAF React2Shell, AWSManagedRulesKnownBadInputsRuleSet, ReactJSRCE_BREAKGLASS_BLOCK, Google Cloud Armor cve-canary, google-mrs-v202512-id000001-rce, Azure WAF custom rule cve202555182, Azure Front Door WAF, Azure Application Gateway WAF, WAF mitigation, ASPM, application security posture management, vulnerability management, reachability analysis, code-to-cloud traceability, campaign-based remediation
Phoenix Campaign, Phoenix Security, CVE-2025-55182, CVE-2025-66478, React2Shell, React4Shell, React Server Components vulnerability, RSC Flight vulnerability, Next.js RCE, React RCE, Next.js App Router vulnerability, Next.js Server Actions vulnerability, server-side prototype pollution, prototype pollution RCE, remote code execution Next.js, remote code execution React, Next-Action header exploit, rsc-action-id header exploit, multipart/form-data exploit, indicators of compromise, React2Shell IOCs, CVE-2025-55182 IOCs, exploitation timeline, Shodan React systems, Shodan Next.js systems, patch Next.js, upgrade Next.js 15.0.5, upgrade Next.js 16.0.7, patched Next.js versions, patched React versions 19.0.1 19.1.2 19.2.1, npx fix-react2shell-next, AWS WAF React2Shell, AWSManagedRulesKnownBadInputsRuleSet, ReactJSRCE_BREAKGLASS_BLOCK, Google Cloud Armor cve-canary, google-mrs-v202512-id000001-rce, Azure WAF custom rule cve202555182, Azure Front Door WAF, Azure Application Gateway WAF, WAF mitigation, ASPM, application security posture management, vulnerability management, reachability analysis, code-to-cloud traceability, campaign-based remediation
Phoenix Campaign, Phoenix Security, CVE-2025-55182, CVE-2025-66478, React2Shell, React4Shell, React Server Components vulnerability, RSC Flight vulnerability, Next.js RCE, React RCE, Next.js App Router vulnerability, Next.js Server Actions vulnerability, server-side prototype pollution, prototype pollution RCE, remote code execution Next.js, remote code execution React, Next-Action header exploit, rsc-action-id header exploit, multipart/form-data exploit, indicators of compromise, React2Shell IOCs, CVE-2025-55182 IOCs, exploitation timeline, Shodan React systems, Shodan Next.js systems, patch Next.js, upgrade Next.js 15.0.5, upgrade Next.js 16.0.7, patched Next.js versions, patched React versions 19.0.1 19.1.2 19.2.1, npx fix-react2shell-next, AWS WAF React2Shell, AWSManagedRulesKnownBadInputsRuleSet, ReactJSRCE_BREAKGLASS_BLOCK, Google Cloud Armor cve-canary, google-mrs-v202512-id000001-rce, Azure WAF custom rule cve202555182, Azure Front Door WAF, Azure Application Gateway WAF, WAF mitigation, ASPM, application security posture management, vulnerability management, reachability analysis, code-to-cloud traceability, campaign-based remediation
React2Shell (CVE-2025-55182) campaign monitoring

Check the libraries not affected in the SBOM screen to detect React2Shell (search the following libraries) for CVE-2025-55182, CVE-2025-66478, CVE-2025-55184, CVE-2025-67779, CVE-2025-55183

  • React-server-dom-webpack
  • webpack
  • React-server-dom-parcel
  • parcel
  • React-server-dom-turbopack
  • Turbopack
  • react-router
  • Next.js
  • plugin-rsc
  • Waku
  • Rwsdk
  • rsc

Where can you monitor the progress of React2Shell (CVE-2025-55182) remediation?

You can monitor the remediation progress in the Vulnerability screen by filtering the specific campaign or filtering the CVE / library affected by React2Shell (CVE-2025-55182)

Phoenix Campaign, Phoenix Security, CVE-2025-55182, CVE-2025-66478, React2Shell, React4Shell, React Server Components vulnerability, RSC Flight vulnerability, Next.js RCE, React RCE, Next.js App Router vulnerability, Next.js Server Actions vulnerability, server-side prototype pollution, prototype pollution RCE, remote code execution Next.js, remote code execution React, Next-Action header exploit, rsc-action-id header exploit, multipart/form-data exploit, indicators of compromise, React2Shell IOCs, CVE-2025-55182 IOCs, exploitation timeline, Shodan React systems, Shodan Next.js systems, patch Next.js, upgrade Next.js 15.0.5, upgrade Next.js 16.0.7, patched Next.js versions, patched React versions 19.0.1 19.1.2 19.2.1, npx fix-react2shell-next, AWS WAF React2Shell, AWSManagedRulesKnownBadInputsRuleSet, ReactJSRCE_BREAKGLASS_BLOCK, Google Cloud Armor cve-canary, google-mrs-v202512-id000001-rce, Azure WAF custom rule cve202555182, Azure Front Door WAF, Azure Application Gateway WAF, WAF mitigation, ASPM, application security posture management, vulnerability management, reachability analysis, code-to-cloud traceability, campaign-based remediation
Phoenix Campaign, Phoenix Security, CVE-2025-55182, CVE-2025-66478, React2Shell, React4Shell, React Server Components vulnerability, RSC Flight vulnerability, Next.js RCE, React RCE, Next.js App Router vulnerability, Next.js Server Actions vulnerability, server-side prototype pollution, prototype pollution RCE, remote code execution Next.js, remote code execution React, Next-Action header exploit, rsc-action-id header exploit, multipart/form-data exploit, indicators of compromise, React2Shell IOCs, CVE-2025-55182 IOCs, exploitation timeline, Shodan React systems, Shodan Next.js systems, patch Next.js, upgrade Next.js 15.0.5, upgrade Next.js 16.0.7, patched Next.js versions, patched React versions 19.0.1 19.1.2 19.2.1, npx fix-react2shell-next, AWS WAF React2Shell, AWSManagedRulesKnownBadInputsRuleSet, ReactJSRCE_BREAKGLASS_BLOCK, Google Cloud Armor cve-canary, google-mrs-v202512-id000001-rce, Azure WAF custom rule cve202555182, Azure Front Door WAF, Azure Application Gateway WAF, WAF mitigation, ASPM, application security posture management, vulnerability management, reachability analysis, code-to-cloud traceability, campaign-based remediation
Monitor in Phoenix Security SBOM Screen the React2Shell (CVE-2025-55182) affected libraries

How threat actors are using CVE-2025-55182 and follow-on variants in an attack 

react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel,

Attackers don’t need creativity here. They need throughput.

Phase 1: Internet discovery and validation scanning for React2Shell (CVE-2025-55182)

A crafted request hits the RSC decode surface and yields code execution inside the Node.js process that serves your app. React categorizes this as unauthenticated RCE with maximum severity.  

Phase 2: Initial access inside the app runtime exploitation of React2Shell (CVE-2025-55182)

Once the payload runs, the attacker has a shell-equivalent foothold in the Node process context. AWS and Wiz both observed early-stage commands used for identity, environment, and filesystem discovery in cloud workloads. 

Phase 3: Credential harvesting and cloud pivoting exfiltration leveraging post exploitation of React2Shell (CVE-2025-55182)

Attackers harvest:

  • env secrets and tokens
  • cloud credentials via instance metadata access
  • SSH keys and developer tooling credentials

    Then they upload results in bulk to attacker infrastructure. 
    Wiz documented campaigns explicitly targeting this data after exploitation.

Phase 4: Monetization or persistence

Observed outcomes include:

  • cryptominers dropped into containers and servers
  • reverse tunnels and backdoors for longer-term control
  • Sliver implants in more advanced intrusions 

Phase 5: Variant pressure after patching

Even after you shut down the RCE class, the follow-ups keep the same exposed surface relevant:

  • DoS requests that hang the server in a loop and burn CPU 

Crafted requests that cause server functions to return compiled source of other functions, risking exposure of hardcoded secrets and business logic. 

Which threat actors are using CVE-2025-55182 for active exploitation

China-nexus activity (espionage and access tooling)

Google intelligence has identified multiple China-nexus clusters exploiting CVE-2025-55182 globally as of Dec 12, and cites AWS reporting that Earth Lamia and Jackpot Panda are exploiting the bug (GTIG tracks Earth Lamia as UNC5454). 

Key clusters and payload families GTIG calls out:

  • UNC6600 → MINOCAT tunneler

    Google intelligence observed behavior centers on stealthy foothold hardening: creation of a hidden working directory (for example, $HOME/.systemd-utils), process tampering (killing ntpclient), then persistence via cron, systemd, and shell-profile execution hooks so the tunneler re-launches when a new shell starts. MINOCAT is a Linux ELF with an embedded FRP client used for tunneling.
  • UNC6586 → SNOWLIGHT downloader (VSHELL ecosystem)

    Google intelligence observed retrieval of SNOWLIGHT followed by HTTP GET traffic to C2 and staging infrastructure, including reactcdn.windowserrorapis[.]com as an example domain. Treat this as a clean hunting pivot for outbound connections from a web-server context.
  • UNC6588 → COMPOOD backdoor

    Google intelligence observed COMPOOD being downloaded and executed in a way that masquerades as a legitimate binary (example: “vim” naming). GTIG did not observe heavy follow-on in those incidents, and the motivation remains unclear.
  • UNC6603 → HISONIC backdoor (cloud-service blending)

    Google intelligence reports HISONIC retrieving encrypted configuration via legitimate cloud services (Cloudflare Pages, GitLab) to blend into expected traffic. They also note marker strings delimiting an XOR-encoded config blob and targeting focus on AWS and Alibaba Cloud in APAC.

Financially motivated activity (throughput first, mining second)

GTIG observed multiple incidents starting Dec 5 where actors used CVE-2025-55182 to deploy XMRig for illicit cryptomining. One observed chain downloads a script named sex.sh, pulls XMRig from GitHub, then adds persistence via a systemd service named system-update-service. 

Operational takeaway: even if you patch quickly, treat “unexpected miner symptoms” (CPU spikes, new system services, outbound pool traffic) as a compromise triage trigger, not as an infra hiccup.

Defender notes: what to hunt for (actionable without handing attackers a recipe)

  • Outbound web-server initiated fetches (wget/curl behavior) to known staging/C2 IOCs and newly registered lookalike domains.
  • Filesystem and persistence artifacts: hidden working directories, unexpected cron entries, new systemd units tied to the web workload user, shell-profile modifications.

Tunneling and proxy tooling (FRP-style behavior) and reverse proxy patterns in egress logs.  

What Evidence of exploitation do we have for React2Shell (CVE-2025-55182)

A researcher under the name of Krishnan has identified a treasure trove of targets that are being collected for further exploitation

1) “Open dir” staging looks like pre-ops for mass exploitation

Krishnan found an exposed directory hosting React2Shell tooling and target material: a YAML PoC file, domain lists, and scripts, all sitting in the open. Inside it, two files stand out: a “Domains” list with 35,423 domains, and a “Next Target” list with 596 URLs that include well-known brands. Treat that list as intent, not proof of compromise. It still tells you what attackers think is worth scanning at scale. 

Even better: one of the scripts uses a Wayback Machine harvesting one-liner to fingerprint Next.js by searching for /_next/static paths, then writing candidates into a next_target.txt style list. That’s not sophisticated, it’s efficient, and it scales. 

2) A reusable multipart boundary string is showing up as a “campaign fingerprint.”

One detail is unusually operational: the boundary string WebKitFormBoundaryx8jO2oVc6SWP3Sad appears inside the YAML PoC and then shows up across large numbers of hosts in external search results (FOFA and Censys results in the post). A normal browser generates fresh boundaries; a hardcoded boundary points to automation and replay. Krishnan reports seeing it across 708 unique hosts in FOFA results and notes a pattern where many identified victims advertise Server: ZK Web Server

Translation for defenders: even when payload shapes evolve, lazy operators keep reusing “working” request templates. That boundary is a clean hunting pivot in WAF, reverse proxy, and application logs.

3) Post-exploitation is frequently crypto-mining, delivered by a familiar script name

Krishnan tracks a recurring file name, sex.sh, tied to cryptomining deployments (XMRig) alongside React2Shell activity. The post lists multiple IPs hosting that script and provides one sample hash and timeline details. 

This lines up with broader reporting that active React2Shell exploitation has been used to deliver XMRig, with sex.sh specifically called out as a Bash script that pulls XMRig 6.24.0 and sets up persistence via a systemd service. 

Practical IOCs you can operationalize today

Use these as detection pivots, not as a checklist to “block one string and declare victory”:

  • Inbound: multipart/form-data requests carrying boundary WebKitFormBoundaryx8jO2oVc6SWP3Sad in proximity to Server Actions / RSC endpoints.
  • Hunting pivot: repeat appearances of that exact boundary across unrelated requests (high confidence automation).
  • Recon artifact: requests and tooling patterns that enumerate /_next/static paths (candidate Next.js discovery).
  • Host signals: presence of sex.sh style droppers, XMRig fetches, and suspicious systemd service persistence patterns consistent with miner deployment. 

Exploited and exploitable: internet-scale exposure signals react2shell CVE-2025-55182

React System in ShodanNext.js systems in Shodan
react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, shodanreact2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, Shodan
react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, Shadowserver
From The Shadowserver Foundation: More than 120,725 internet-exposed IP addresses are running vulnerable code as of December 11, 2025. Of these, over 82,100 instances are located in the U.S., followed by Germany (8.8K), France (4.5K) and more
react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, fastly
Fastly detects an increase in exploitation from 9M on December 4, 2026

We are tracking the incident write-ups that describe rapid PoC churn and active exploitation attempts shortly after disclosure. 

Attack surface counts (as reported in the provided campaign analysis):

  • React systems in Shodan: 584,086
  • Next.js technologies in Shodan: 754,139 
  • Fastly Detection of attacks on the 5th 
  • Datadog has provided detailed exploitation IoC tracking the various exploit-poc

Datadog  detection of the exploit activity after PoC on the 5th December disclosure

Graynoise and Cloudflare saw continuous probing and a surge of detections. Cloudflare, which is also tracking ongoing exploitation activity, said threat actors have conducted searches using internet-wide scanning and asset discovery platforms to find exposed systems running React and Next.js applications.

react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, datadog
Datadog Exploitation over time of PoC		react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, cloudflare
Cloudflare exploitation over time
react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, graynoise
Graynoise Exploitation over time with increase from Dec 04

Get a Free Posture assessment today

Assess my posture

How Phoenix Security can help in React2Shell (CVE-2025-55182) multi-stage attack: catching the attack and the owner at the same time

Multi-stage attack to multi-stage remediation

The React2Shell (CVE-2025-55182) is a multi-stage attack. This is where you need a multi-stage system to track exploitation from external systems all the way to internal systems with attribution and remediation

Phoenix Security can connect the dots across:

  • External Attack Surface

     Identify internet-exposed applications and endpoints that match RSC/Next.js patterns, then track exposure drift (new subdomains, new routes, new gateways). When React2Shell scanning ramps up, leveraging the External Attack surface (signatures for the CVE-2025-55182 are already available)
  • Correlation across runtime exposure, packages, and code

     React2Shell is not “a React problem.” It’s a reachable deserialization path plus a specific react-server-dom-* dependency version. Correlation means you can answer fast:
    • Which exposed apps route traffic into Server Actions/RSC decode
    • Which repos actually pull the vulnerable libraries
    • Which builds and deployments still carry those versions

Phoenix Security Correlate your external attack surface with internal applications and react to applications that are vulnerable. Phoenix Security also deduplicates code and cloud to enable you to focus on the vulnerabilities that really matter and where they should be fixed.

  • Code scanning and library lineage
    Pinpoint the exact dependency chain that introduced react-server-dom-webpack (direct, transitive, monorepo hoist, framework peer dep). Pair that with where it runs: cluster, namespace, service, ingress, or domain.
  • Attribution and ownership
    The fix is simple on paper: upgrade and redeploy. The failure mode is human: “nobody owns the frontend runtime.” Attribution ties the vulnerable runtime surface back to the team and the repo that can ship the patch. That keeps React2Shell from becoming a week-long blame relay.
  • Exploitation-aware prioritization

    When active campaigns are public and growing (scanners, miners, backdoors), a critical RCE on an exposed RSC stack is not a backlog item. It’s a production incident until proven otherwise. Public intel on in-the-wild exploitation, plus your own exposure evidence, is how you justify the escalation. 
  • New Phoenix Security Automatic Remediation

Phoenix Security Remediation screen helps you to focus on the remediation that matters in the asset that needs the specific fix (build file, library or base image).

Discovery and Disclosure Timeline

react2shell, timeline react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, react-server-dom-webpack vulnerability, react-server-dom-turbopack vulnerability, react-server-dom-parcel vulnerability, cve-2025-55184, cve-2025-67779, cve-2025-55183, react server components dos, react server functions source code exposure, react rsc dos, next.js 13 dos vulnerability, next.js 14 dos vulnerability, patch again react2shell, react2shell exploitation in the wild, react2shell iocs, react2shell scanner, detect react2shell, react2shell mitigation, react2shell patch guidance, react2shell vulnerable versions, react2shell fixed versions, react2shell rce detection, react2shell waf rules, react2shell incident response, react2shell post exploitation, xmrig after react2shell, cloud credential harvesting react2shell, ASPM, Phoenix Security, Exploitation methods, Application Security Posture Management
  • Nov 29, 2025: vulnerability reported to the React team.
  • Dec 3, 2025: React publishes the critical advisory and fixes for CVE-2025-55182.
  • Dec 11, 2025: React publishes follow-up advisory covering CVE-2025-55184, CVE-2025-67779, CVE-2025-55183 and states that earlier follow-up patch releases were incomplete.
  • Dec 11, 2025: Next.js publishes its security update aligned to the follow-up CVEs.
  • Dec 12, 2025: Raven File documents open-directory staging and targeting workflows connected to in-the-wild activity.  
react2shell, timeline react2shell, cve-2025-55182, cve 2025 55182, react server components vulnerability, react server components rce, react flight protocol, react flight deserialization, react server actions security, react server functions vulnerability, next.js react2shell, next.js app router vulnerability, next.js server actions rce, react server dom webpack, react server dom turbopack, react server dom parcel, react-server-dom-webpack vulnerability, react-server-dom-turbopack vulnerability, react-server-dom-parcel vulnerability, cve-2025-55184, cve-2025-67779, cve-2025-55183, react server components dos, react server functions source code exposure, react rsc dos, next.js 13 dos vulnerability, next.js 14 dos vulnerability, patch again react2shell, react2shell exploitation in the wild, react2shell iocs, react2shell scanner, detect react2shell, react2shell mitigation, react2shell patch guidance, react2shell vulnerable versions, react2shell fixed versions, react2shell rce detection, react2shell waf rules, react2shell incident response, react2shell post exploitation, xmrig after react2shell, cloud credential harvesting react2shell, ASPM, Phoenix Security, Exploitation methods, Application Security Posture Management

Temporary Protections

Patching is the fix. Temporary protections buy minutes and hours.

  • WAF rules and managed protections

    Multiple providers shipped emergency detections and managed rules while patching rolled out; AWS also documented managed rule updates and interim WAF guidance. 
  • Full list of WAF rules: https://phoenix.security/react2shell-resources/
  • Rate limiting and burst control on Server Action/RSC endpoints

    This matters even more after the DoS CVEs; the follow-up DoS hangs server processes by driving the vulnerable deserialization into an infinite loop.
  • Segmentation of build and runtime secrets

    Wiz observed broad secret harvesting and metadata access attempts after initial code execution. Reduce what the frontend runtime can reach.

Hunt and verify

AWS published concrete indicators: suspicious headers, $@ markers, resolved_model patterns, unexpected command execution patterns and file activity driven by Node/React processes.

https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components

https://www.fastly.com/blog/fastlys-proactive-protection-critical-react-rce-cve-2025-55182

https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far

https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

https://nextjs.org/blog/CVE-2025-66478
https://x.com/stdoutput
https://x.com/stdoutput/status/199669…
https://github.com/msanft/CVE-2025-55182
https://x.com/maple3142
https://x.com/maple3142/status/199668…
https://gist.github.com/maple3142/48b…
https://github.com/facebook/react/sec…
https://x.com/swithak/status/19965841…
https://gist.github.com/SwitHak/53766…
https://github.com/assetnote/react2sh…
https://slcyber.io/research-center/hi…
https://gist.github.com/joe-desimone/…
https://x.com/rauchg/status/199670143…

How Phoenix Security Can Help

attack graph phoenix security ASPM

Organizations often face an overwhelming volume of security alerts, including false positives and duplicate vulnerabilities, which can distract from real threats. Traditional tools may overwhelm engineers with lengthy, misaligned lists that fail to reflect business objectives or the risk tolerance of product owners.

Phoenix Security offers a transformative solution through its Actionable Application Security Posture Management (ASPM), powered by AI-based Contextual Quantitative analysis and an innovative Threat Centric approach. This innovative approach correlates runtime data with code analysis and leverages the threats that are more likely to lead to zero day attacks and ransomware to deliver a single, prioritized list of vulnerabilities. This list is tailored to the specific needs of engineering teams and aligns with executive goals, reducing noise and focusing efforts on the most critical issues. Why do people talk about Phoenix

Automated Triage: Phoenix streamlines the triage process using a customizable 4D risk formula, ensuring critical vulnerabilities are addressed promptly by the right teams.

Contextual Deduplication: Utilizing canary token-based traceability, Phoenix accurately deduplicates and tracks vulnerabilities within application code and deployment environments, allowing teams to concentrate on genuine threats.

Actionable Threat Intelligence: Phoenix provides real-time insights into vulnerability’ exploitability, combining runtime threat intelligence with application security data for precise risk mitigation.

ASPm, CISA KEV, Remote Code Execution, Inforamtion Leak, Category, Impact, MITRE&ATTACK, AI Assessment, Phoenix CISA KEV, Threat intelligence

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.

Get in control of your Application Security posture and Vulnerability management

Get a Demo today

Picture of Francesco Cipollone

Francesco Cipollone

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.
14th December 2025
Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

Join Slack community
Linkedin-in Youtube Facebook-f Twitter Instagram

From our Blog

Phoenix_Security_React2Shell
  • 8th December 2025

React2Shell / React4Shell Resources: CVE-2025-55182 (React RSC Flight) and CVE-2025-66478 (Next.js App Router) with IOCs, exploitability updates, and scanning links

React4Shell (also tracked as React2Shell and “Freight Night”) turns React Server Components into an unauthenticated remote code execution path via the Flight protocol. Public PoCs are circulating, scanning is spiking, and large-scale exploitation has already been reported. Patch fast, then verify what’s actually running.
Francesco Cipollone
React4Shell, React2Shell, React Server Components, RSC vulnerability, Flight protocol vulnerability, React Flight protocol RCE, unauthenticated RCE, React remote code execution, Next.js remote code execution, Next.js RCE, CVE-2025-55182, CVE-2025-66478, Next.js App Router vulnerability, React server actions vulnerability, react-server-dom-webpack vulnerability, react-server-dom-parcel vulnerability, react-server-dom-turbopack vulnerability, DevSecOps patching, ASPM, application security, vulnerability management, software supply chain security, npm ecosystem security, web application RCE, WAF mitigation, AWS WAF rule, AWSManagedRulesKnownBadInputsRuleSet, Fastly NGWAF virtual patch, active exploitation timeline, China-nexus threat groups, Earth Lamia, Jackpot Panda, Log4j-like vulnerability
  • 5th December 2025

React4Shell (React2Shell) Is being exploited at scale: Critical Unauthenticated RCE in React RSC Flight (CVE-2025-55182) and Next.js (CVE-2025-66478)

React4Shell (also tracked as React2Shell and “Freight Night”) turns React Server Components into an unauthenticated remote code execution path via the Flight protocol. Public PoCs are circulating, scanning is spiking, and large-scale exploitation has already been reported. Patch fast, then verify what’s actually running.
Francesco Cipollone
Phoenix_Security_React2Shell
  • 4th December 2025

React2Shell Campaign Patch RSC Stack Now: Critical Unauthenticated RCE in the Flight Protocol CVE-2025-55182 (React) and CVE-2025-66478 (Next.js)

Two critical CVEs (React and Next.js now called React2Shell or React4shell recalling log4j and spring4shell vulnerabilities) expose an unauthenticated remote code execution path via the “Flight” protocol. If you are running server-rendered React with RSC enabled, assume exposure until you prove otherwise and patch fast.
Francesco Cipollone
Shai Hulud v2 explained, Shai-Hulud timeline, aspm, vulnerability management, supply chain
  • 27th November 2025

Shai Hulud V2 and Sha1-Hulud A Multi-Stage npm Supply Chain Attack Targeting Code, Cloud, and CI/CD

The Shai Hulud campaign marks a major escalation in npm supply chain attacks. This article examines how the malware executes during preinstall, steals cloud and CI/CD secrets, injects GitHub workflows, attempts container breakout, and propagates across nearly 700 compromised packages. The full timeline tracks the attack from the first September incidents through the November V2 expansion.
Francesco Cipollone
Shai Hulud v2 explained, Shai-Hulud timeline, aspm, applciation security, supply chain security, compromised packages, github security, malicious npm packages, npm security threats, npm supply chain attack, open-source vulnerabilities, shai-hulud campaign, shai-hulud supply chain attack
  • 24th November 2025

Shai-Hulud V2 Second Coming NPM’s Latest Supply Chain Strikes Again 26K repo compromised and 425 new libraries, how to scan and recover 

Shai Hulud weaponised npm’s trust model with stolen maintainer credentials, poisoned tarballs, and GitHub Actions backdoors that keep exfiltrating from CI. At least 608 packages are in scope, including assets from PostHog, ENS, AsyncAPI, Postman, and Zapier. This article maps the updated blast radius and gives a remediation plan built on ASPM, reachability, and remediation-aware exposure management.
Francesco Cipollone

Dive into our full React4Shell analysis. Read the blog →

Derek

Derek Fisher

Linkedin

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Linkedin

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Linkedin

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Linkedin

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Linkedin

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Linkedin

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
x Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
ShieldPRO