What is React2Shell (CVE-2025-55182)?

Summary: Frank M. Catucci and Timothy De Block dive into a critical, high-impact remote code execution (RCE) vulnerability affecting React Server Components and popular frameworks like Next.js, a flaw widely being referred to as React2Shell. They discuss the severity, the rapid weaponization by botnets and state actors, and the long-term struggle organizations face in patching this class of vulnerability. The Next Log4j? React2Shell (CVE-2025-55182) Critical Severity: The vulnerability, tracked as CVE-2025-55182 (and sometimes including the Next.js version, CVE-2025-66478, which was merged into it), carries a maximum CVSS score of 10.0. The Flaw: The issue is an unauthenticated remote code execution (RCE) vulnerability stemming from insecure deserialization in the React Server Components (RSC) "Flight" protocol. This allows an attacker to execute arbitrary, privileged JavaScript code on the server simply by sending a specially crafted HTTP request. Widespread Impact: The vulnerability affects React 19.x and other popular frameworks that bundle the react-server implementation, most notably Next.js (versions 15.x and 16.x using the App Router). It is exploitable in default configurations. Rapid Weaponization: The speed of weaponization is "off the chain". Within a day of public disclosure, malicious payloads were observed, with activities including: Deployment of Marai botnets. Installation of cryptomining malware (XMRig). Deployment of various backdoors and reverse shells (e.g., SNOWLIGHT, COMPOOD, PeerBlight). Attacks by China-nexus threat groups (Earth Lamia and Jackpot Panda). The Long-Term Problem and Defense Vulnerability Management Challenge: The core problem is identifying where these vulnerable components are running in a "ridiculous ecosystem". This is not just a problem for proprietary web apps, but for any IoT devices or camera systems that may be running React. The Shadow of Log4j: Frank notes that the fallout from this vulnerability is expected to be similar to Log4j, requiring multiple iterative patches over time (Log4j required around five versions). Many organizations have not learned their lesson from Log4j. Because the issue can be three or four layers deep in open-source packages, getting a full fix requires a cascade of patches from dependent projects. Mitigation is Complex: Patches should be applied immediately, but organizations must also consider third-party vendors and internal systems. Post-Exploitation: Assume breach. If the vulnerability was exposed, it is a best practice to rotate all secrets, API keys, and credentials that the affected server had access to. WAF as a Band-Aid: A Web Application Firewall (WAF) can be a mitigating control, but blindly installing one over a critical application is ill-advised as it can break essential functionality. The Business Battle: Security teams often face the "age-old kind of battle" of whether to fix a critical vulnerability with a potential break/fix risk or stay open for business. Highly regulated industries, even with a CISA KEV listing, may still slow patching due to mandatory change control and liability for monetary loss if systems go down. The Supply Chain and DDoS Threat Nation-State & Persistence: State actors like those from China will sit on compromised access for long periods, establishing multiple layers of backdoors and obfuscated persistence mechanisms before an active strike. Botnet Proliferation: The vulnerability is being used to rapidly create new botnets for massive Denial of Service (DoS) attacks. DoS attack sizes are reaching terabits per second. DDoS attacks are so large that some security vendors have had to drop clients to protect their remaining customers. Supply Chain Security: The vulnerability highlights the urgent need for investment in Software Bill of Materials (SBOMs) and Application Security Posture Management (ASPM)/Application Security Risk Management (ASRM) solutions. This includes looking beyond web servers to embedded systems, medical devices, and auto software. Legislation is in progress to mandate that vendors cannot ship vulnerable software and to track these components. Actionable Recommendations Immediate Patching: This is the only definitive mitigation. Upgrade to the patched versions immediately, prioritizing internet-facing services. Visibility Tools: Use tools for SBOMs, ASPM, or ASRM to accurately query your entire ecosystem for affected versions of React and related frameworks. Testing: Run benign proof-of-concept code to test for the vulnerability on your network. Examples include simple commands like whoami. (Note: Always use trusted, non-malicious payloads for internal testing.) Monitor CISA KEV: The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. Research: Look for IoCs (Indicators of Compromise) and TTPs (Tactics, Techniques, and Procedures) associated with post-exploitation to hunt for pervasive access and backdoors. Resources China-nexus cyber threat groups rapidly exploit React2Shell ... - AWS, accessed December 12, 2025, https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ How react2shell-guard Gives Devs a Practical Response Plan | by am | IT Security In Plain English | Dec, 2025, accessed December 12, 2025, https://medium.com/it-security-in-plain-english/how-react2shell-guard-gives-devs-a-practical-response-plan-5f86b98c44e4 CVE-2025-55182 – React Server Components RCE via Flight ..., accessed December 12, 2025, https://www.offsec.com/blog/cve-2025-55182/ Security Advisory: Critical RCE Vulnerabilities in React Server Components & Next.js - Snyk, accessed December 12, 2025, https://snyk.io/blog/security-advisory-critical-rce-vulnerabilities-react-server-components/ React2Shell flaw (CVE-2025-55182) exploited for remote code execution, accessed December 12, 2025, https://news.sophos.com/en-us/2025/12/11/react2shell-flaw-cve-2025-55182-exploited-for-remote-code-execution/ Detecting React2Shell: The maximum-severity RCE Vulnerability affecting React Server Components and Next.js | Sysdig, accessed December 12, 2025, https://www.sysdig.com/blog/detecting-react2shell CVE-2025-55182 - CVE Record, accessed December 12, 2025, https://www.cve.org/CVERecord?id=CVE-2025-55182 React2Shell (CVE-2025-55182): Critical React Vulnerability | Wiz Blog, accessed December 12, 2025, https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182 React2Shell Security Bulletin | Vercel Knowledge Base, accessed December 12, 2025, https://vercel.com/react2shell React2Shell and related RSC vulnerabilities threat brief: early ..., accessed December 12, 2025, https://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/ CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos ..., accessed December 12, 2025, https://www.trendmicro.com/en_us/research/25/l/CVE-2025-55182-analysis-poc-itw.html React2Shell: Decoding CVE-2025-55182 – The Silent Threat in React Server Components, accessed December 12, 2025, https://blog.qualys.com/product-tech/2025/12/10/react2shell-decoding-cve-2025-55182-the-silent-threat-in-react-server-components Serious React2Shell Vulnerabilities Require Immediate Attention, accessed December 12, 2025, https://www.sonatype.com/blog/react2shell-rce-vulnerabilities-require-immediate-attention React2Shell and the Case for Deception in Your Vulnerability Management Program, accessed December 12, 2025, https://www.zscaler.com/blogs/product-insights/react2shell-and-case-deception-your-vulnerability-management-program