Unveiling CVE-2025-55182 - React to this!

Recently, a new unauthenticated remote code execution exploit was released under CVE-2025-55182.

This exploit affects Next.js and React.js applications and it is spreading like wildfire. Fortunately, I am going to dive into what the exploit is and how it is exploited.

CVE-2025-55182 (React2Shell): Critical (CVSS 10.0) remote code execution (RCE) vulnerability in React Server Components via unsafe deserialization in the Flight protocol. Affects React 19.x, Next.js 15.x/16.x (App Router), React Router, Waku. Disclosed Dec 3, 2025; exploited within hours by China-nexus groups (e.g., Earth Lamia) for cryptomining, secret harvesting, backdoors.

Mitigation: Update to patched versions (React 19.1.1+, Next.js 15.0.1+); enable WAF rules (AWS, Cloudflare, Vercel); monitor for IOCs like anomalous payloads in HTTP params ($ACTION_REF_0).

Core Mechanism: Unauthenticated RCE via unsafe deserialization in React Server Components (RSC) Flight protocol. Attacker sends crafted HTTP POST to RSC endpoint (e.g., /build-manifest.json or server action routes in Next.js App Router), injecting serialized payloads into params like $ACTION_REF_0 or $ACTION_0:0. Deserialization executes arbitrary JS on server.

Steps:

1. Recon: Scan for RSC-enabled apps (e.g., via Shodan/Wappalyzer for Next.js 15.x/16.x headers like rsc or x-powered-by: Next.js).

2. Payload Craft: Serialize malicious JS object (e.g., prototype pollution: {__proto__: {exec: 'cmd'}} or direct eval) using Flight format. Example PoC snippet (from public GitHub repos):

    fetch('/api/action', {
      method: 'POST',
      headers: {'Content-Type': 'application/json'},
      body: JSON.stringify({
        $ACTION_REF_0: 'eval',
        $ACTION_0:0: 'require("child_process").execSync("id")'
      })
    });
   

3. Trigger: Server deserializes, polluting prototypes or calling functions, spawning shell (e.g., uid=1001(nextjs)).

4. Post-Exploitation:

   • Recon/Harvest: Run ls /etc/secrets, env | grep AWS, exfil via HTTP.

   • Persistence: Deploy backdoors (e.g., cron jobs, Kubernetes RBAC mods).

   • Monetize: Cryptomining (XMRig payloads), lateral movement to cloud resources.

Mitigation strategies:

Primary: Patch Immediately

• Update React to 19.2.1+.

• Update Next.js to 15.1.4+ or 16.0.7+.

• Redeploy applications post-upgrade.

Temporary: WAF Rules

• Deploy custom rules blocking payloads (e.g., "constructor:", "proto:" in POST args).

  • Azure WAF: Use DRS 2.1 + custom rule for PostArgs/RequestHeaders.

  • Google Cloud Armor: Enable cve-canary rule.

  • Cloudflare/Vercel: Activate RSC-specific protections

Real World Example:

15x.3x.1x9.x0/ - A hypothetical training program.

Identified via masscan we can now pass the url to this Proof-of-Concept: https://github.com/msanft/CVE-2025-55182. I have altered the script to execute a series of my own commands for enumeration purposes.

Using the CVE-2025-55182 PoC, attackers can access the root user of a device with 0 authentication.. scary right?

In the screenshot above, you can see that I have executed the system commands id, uname -a, and pwd for the purpose of this demonstration. Disclose responsibly and never intend to breach.

Countless threat actors are actively using this exploit for their own ransomware/botnet spreading. Please update all Next.js and React.js applications immediately.

These are two different servers running Next.js/React.js and as you can see in both screenshots we are running as root!

Conclusion:

Many of these devices may be running Next.js or React.js as root. This is a diabolical mistake by system administrators as hackers may upload their own reverse shell to the initial payload and take over an entire network. Additionally, Censys states that over 2.15 million devices are running this vulnerable version of React.js [https://censys.com/advisory/cve-2025-55182]. That’s a pretty big attack surface if you ask me. I bet the botnet operators are laughing to the bank :D

Please update & upgrade your React.js/Next.js applications before you get popped!