Updated 10:17, December 9, with more details from Wiz.

Exploitation of CVE-2025-55182, dubbed React2Shell, is escalating in the wild, say security researchers. Amazon said it had seen a trio of China-linked threat groups exploiting the pre-auth RCE bug – whilst Cloudflare inadvertently  took down its own services scrambling an Internet-scale fix. 

The CVSS 10 vulnerability affects React and Next.js. Public disclosure came on December 3. Exploitation of the React bug followed within 30 hours. 

Ongoing attacks are targeting cloud environments, with attackers using the exploit to "obtain an interactive shell inside application containers (for example, Next.js frontends running in Kubernetes/GKE)," warned Wiz.

Threat actors managed to replicate a variant of New Zealand-based researcher Lachlan Davidson (who disclosed the bug)’s elegantly simple code and attacks are now happening at some scale – with the caveat that exploitability is limited to newer stacks; CVE-2025-55182 affects React 19+ and Next.js versions 15.x and 16.x when using its App Router functions.

(There’s even a publicly available Chrome extension on GitHub that automatically scans for and exploits vulnerable sites as attackers browse.)

Vercel CEO Guillermo Rauch has a useful walkthrough of the “doozy” of a bug here, describing it as “A juxtaposition of a glaring omission of a safety check, combined with a stunningly brilliant mechanism to exploit it.”

Overreaction to a “celebrity vulnerability”?

To security researcher Kevin Beaumont, a furore around the bug is “overreaction”: React 19 was only released in December 2024 and exploitability relies on the use of React Server Components; also new.

“This is a niche setup,” he wrote this weekend.

Beaumont added: “A vast majority of organisations won’t have this setup yet, let alone internet facing. The vulnerability was caught quickly after it was first introduced in the new feature by the maintainers…”

Nextron Systems’ Florian Roth notes that, despite this and some other configuration caveats, the attack surface is not insignificant: “In Next.js with the App Router, Server Components are the default. Pages and layouts are server components unless you explicitly mark them with ‘use client’. 

“React 19 alone doesn’t enable this by itself, but once a framework like Next.js implements RSC, you are effectively in that model by default…”

Sysdig notes that other frameworks are vulnerable, including:

  • Next.js (15.0.4 through 16.0.6, plus canaries from 14.3.0-canary.77)
  • React Router (RSC mode)
  • Waku
  • Parcel RSC (@parcel/rsc)
  • Vite RSC (@vitejs/plugin-rsc)
  • RedwoodSDK (rwsdk)

Security researcher search engine ZoomEye suggests that over 672,000+ exposed assets have already potentially been exploited – with React2Shell progressively being added to Mirai and other botnet exploitation kits.

(On the server, Next.js uses React's APIs to orchestrate rendering. The rendering work is split into chunks… Server Components are rendered into a data format called the React Server Component Payload or “RSC’, and Client Components and the RSC Payload are used to pre-render HTML.)

React2Shell: Leave no trace

A key challenge for defenders, as ever, is identifying their attack surface (Assetnote has provided a free scanner that the original finder of the vulnerability, Lachlan Davidson, himself describes as “very effective at detecting unpatched Next.js instances that use Server Components”).

Identifying exploitation is notably challenging too. As Roth noted on X: “It’s wild how little sticks around when someone hits a server with the React RCE payload. All the interesting parts of the POST request live for a moment in memory, get decoded, executed (or rejected), and vanish. Nothing hits a log, nothing lands on disk. You can scan process memory for patterns, sure, but you’ll mostly catch scanners, broken requests, bots, random noise. 

He added: “A clean ‘this was a successful exploit’ signal isn’t really possible here. The only reliable detection is post-exploitation activity on the box.”

His colleague Swachchhanda Poudel over the weekend developed some Sigma rules "that cover the one thing that reliably shows up when someone actually executes code on a Node.js server -> child processes. One rule for Linux, one for Windows. It’s not a silver bullet," wrote Roth, "just one of the few angles that makes sense right now. We pushed all our YARA and Sigma signatures for the React RCE cases as well, and contributed the Sigma rules upstream: https://github.com/SigmaHQ/sigma/pull/5795

"This whole situation shows how much attack surface lives in places many of us didn’t think about before. I expect we’ll see more of this class of issues now that people realize what’s possible."

Wiz, in an updated December 8 blog, said that "multiple campaigns show a strong focus on cloud and developer credential theft.

  • "One actor used a reverse shell to systematically dump npm, AWS, Docker, Git, SSH and application package.json data from a Next.js server, all base64-encoded for exfiltration.
  • "A separate campaign executed a Base64-encoded script that:
  • "Scrapes environment variables for cloud and application secrets (e.g., AWS, TOKEN, SECRET, PASS, DB_).
  • "Recursively scans key filesystem paths (/home, /root, /etc, /var/www, /opt) for config and key material (*.env, JSON/YAML configs, SSH keys, etc.), while avoiding large or noisy files.
  • "Attempts to access the cloud instance metadata service at 169.254.169.254/latest/meta-data/iam/security-credentials/ to retrieve IAM credentials, indicating clear cloud-specific privilege escalation intent.

"Another large, standalone shell script retrieved by attackers performs broad secret harvesting at scale:

  • "Walks /root and all /home/* directories.
  • "Targets common cloud/dev paths such as .ssh, .aws, .kube, .config/gcloud, and multiple cryptocurrency wallet locations.
  • "Captures environment, OS details, network interfaces, process list (ps aux), and network connections (netstat -anpt).
  • "Bundles all findings into a single report file and uploads it via HTTP POST to attacker-controlled infrastructure, using whichever tool is available (curl, wget, or python).

"This behavior highlights a clear trend: attackers treat compromised containers as credential collection points for both cloud control planes and adjacent developer tooling," it added.

Join peers following The Stack on LinkedIn

The link has been copied!