Executive Summary

A critical security vulnerability, tracked as CVE-2025-55182 and colloquially named React2Shell, has been identified in React Server Components (RSC) and frameworks implementing the RSC "Flight" protocol, most notably Next.js. This vulnerability enables unauthenticated remote code execution (RCE) on affected servers, with a maximum CVSS score of 10.0. The flaw is being actively exploited in the wild, including by sophisticated China-nexus advanced persistent threat (APT) groups and opportunistic attackers. The attack surface includes any internet-exposed application utilizing vulnerable versions of React Server Components or frameworks such as Next.js, Waku, RedwoodSDK, @parcel/rsc, and @vitejs/plugin-rsc. Immediate patching and incident response are imperative to mitigate the risk of compromise, data exfiltration, and further lateral movement within affected environments.

Technical Information

The CVE-2025-55182 vulnerability, also known as React2Shell, resides in the insecure deserialization logic of the React Server Components "Flight" protocol. The "Flight" protocol is a binary transport mechanism used by RSC-enabled frameworks to serialize and transmit component trees and state between client and server. In affected versions, the protocol fails to adequately validate and sanitize incoming serialized payloads, allowing an attacker to craft malicious requests that trigger arbitrary code execution on the server.

The vulnerability affects the following packages and frameworks: react-server-dom-webpack (versions 19.0, 19.1.0, 19.1.1, 19.2.0), react-server-dom-parcel (same versions), and react-server-dom-turbopack (same versions). Frameworks and bundlers impacted include Next.js (App Router, 14.3.0-canary.77 and later canary releases, 15.x, 16.x), React Router (unstable RSC APIs), Waku, RedwoodSDK, @parcel/rsc, @vitejs/plugin-rsc, and others.

The root cause is a lack of robust input validation and deserialization controls in the RSC "Flight" protocol implementation. Attackers can exploit this by sending a specially crafted HTTP request to a vulnerable endpoint, which is then deserialized and executed by the server process. This attack vector is unauthenticated and remote, requiring no prior access or credentials.

Upon successful exploitation, attackers gain the ability to execute arbitrary code with the privileges of the server process. This can lead to a full system compromise, including credential theft, deployment of malware, cryptomining, and lateral movement within cloud or on-premises environments.

The technical community has published several references and advisories detailing the vulnerability and its exploitation, including the React Official Advisory, Wiz Research Blog, Trend Micro Analysis, Palo Alto Networks Unit42, and CISecurity Advisory.

Exploitation in the Wild

Exploitation of CVE-2025-55182 is widespread and ongoing. Publicly available proof-of-concept (PoC) code for unauthenticated RCE has been released, enabling both targeted and opportunistic attacks. Security research from Wiz, Amazon Threat Intelligence, and Datadog confirms active exploitation since December 5, 2025. GreyNoise has identified over 95 unique IP addresses conducting automated exploitation attempts, indicating broad scanning and exploitation activity.

Attackers are leveraging the vulnerability to gain shell access, harvest credentials (including AWS keys and environment variables), deploy cryptominers such as XMRig (both UPX-packed and standard variants), and install the Sliver command-and-control (C2) malware framework. Post-exploitation activity includes lateral movement, persistence, and resource hijacking for cryptomining.

Notable indicators of compromise (IOCs) include the presence of XMRig binaries, outbound DNS queries to domains such as *.oast[.]live and *.oastify[.]com, and connections to C2 infrastructure associated with Sliver. Shell scripts used in attacks often attempt to enumerate and exfiltrate cloud credentials, particularly from AWS environments.

The MITRE ATT&CK techniques observed in these campaigns include T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts, for credential harvesting), T1496 (Resource Hijacking, for cryptomining), and T1105 (Ingress Tool Transfer, for malware delivery).

APT Groups using this vulnerability

Multiple China-nexus APT groups have been observed testing and exploiting CVE-2025-55182, according to reporting from AWS and Wiz. These groups are known for targeting cloud infrastructure, SaaS providers, and web application hosting environments globally. Their objectives typically include credential theft, persistent access, and the establishment of footholds for further espionage or monetization activities. The rapid adoption of public PoC code by these groups underscores the criticality of the vulnerability and the need for immediate defensive action.

Affected Product Versions

The following product versions are confirmed to be vulnerable:

React Packages: The affected versions are 19.0, 19.1.0, 19.1.1, and 19.2.0. Secure versions are 19.0.1, 19.1.2, and 19.2.1.

Next.js: Vulnerable versions include 14.3.0-canary.77 and later canary releases, 15.x, and 16.x. Patched versions are 14.x stable, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7.

Other Frameworks: Products such as RedwoodSDK, Waku, Vite, Parcel, and React Router (unstable RSC APIs) are also affected. Users should consult vendor advisories and update to the latest secure releases as soon as possible.

Workaround and Mitigation

Immediate patching is the only effective mitigation for CVE-2025-55182. All organizations must upgrade affected packages and frameworks to the latest secure versions. For React, upgrade to 19.0.1, 19.1.2, or 19.2.1 as appropriate. For Next.js, upgrade to 14.x stable, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7. For other frameworks, monitor vendor channels and apply security updates as they become available.

In addition to patching, organizations should monitor for indicators of compromise, including outbound DNS queries to suspicious domains, unexpected processes such as XMRig or Sliver, and anomalous shell activity or credential access. Cloud environments should be audited for exposed Next.js or React instances and for evidence of post-exploitation activity, such as credential harvesting or cryptomining.

Where immediate patching is not feasible, organizations should consider isolating or disabling vulnerable endpoints, restricting network access to RSC-enabled applications, and deploying web application firewalls (WAFs) with custom rules to block known exploit patterns. However, these measures are not a substitute for patching and should be considered temporary risk reduction steps.

References

React Official Advisory, Wiz Research Blog, Trend Micro Analysis, Palo Alto Networks Unit42, CISecurity Advisory, GreyNoise Report.

Rescana is here for you

Rescana is committed to helping organizations manage and mitigate third-party and supply chain cyber risk. Our TPRM platform provides continuous monitoring, automated risk assessment, and actionable intelligence to help you stay ahead of emerging threats. If you have questions about this advisory, need assistance with incident response, or want to learn more about how Rescana can help secure your digital ecosystem, please contact us at ops@rescana.com.