React2Shell RCE: CVE-2025-55182 Deep Dive & Patching

December 8, 2025

React2Shell (CVE-2025-55182) — Deep Dive

Date: 2025-12-06
Classification: TLP:CLEAR
Analyst: Threat Intelligence Team

Executive Summary

React2Shell (CVE-2025-55182) is a critical unauthenticated remote-code-execution (RCE) flaw caused by unsafe deserialization in the React Server Components (RSC) Flight protocol.
It affects React 19.x (react-server-dom-*) and downstream Next.js 15.x / 16.x applications using the App Router + RSC features.
Public proof-of-concept (PoC) exploits, Nuclei templates, and automated scanners are already circulating; telemetry from several vendors (React, Next.js, GreyNoise, AWS, JFrog) confirms active scanning and exploitation attempts.
Immediate patching and defensive monitoring are strongly advised.

Scope of Investigation

Objective: Assess exploitability, PoCs, and in-the-wild activity; verify IoCs; and provide mitigations.
Period: Nov → Dec 2025 (30-day window).
Sources: React team advisory, Next.js GHSA, GitHub PoCs, ProjectDiscovery Nuclei, AssetNote scanner, vendor blogs (GreyNoise / AWS / JFrog), community write-ups (CSO Online).

Validation Summary

Confidence	Finding	Evidence
HIGH	CVE-2025-55182 confirmed (CVSS 10.0); patched in React 19.0.1 / 19.1.2 / 19.2.1 and Next.js 15.0.5–16.0.7.	React blog + Next.js GHSA
HIGH	Multiple PoCs show RCE via `child_process.execSync` and PowerShell payloads.	GitHub repos, Nuclei templates, AssetNote scanner
HIGH	Exploit path: crafted multipart Flight requests → unsafe chunk resolution → server-side code execution.	Verified PoC payloads
MEDIUM	Opportunistic scanning / botnet activity observed (possible China-nexus links).	Vendor blogs – telemetry referenced but not shared
LOW	“react2shell” malicious npm package exists → No evidence.	npm registry check – none found

Observed TTPs (MITRE ATT&CK Mapping)

#	ATT&CK Phase	Technique (ID)	Description	Detection Indicators	Recommended Mitigations	Confidence
1	Initial Access	Exploit Public-Facing Application (T1190)	Attackers send crafted `multipart/form-data` Flight payloads to React Server Components endpoints, exploiting unsafe deserialization.	RSC/App Router POSTs containing Flight markers (`$@`, `_response`, `_formData`, `status":"resolved_model"`); headers like `next-action`, `rsc-action-id`.	Patch React/Next.js to fixed versions; implement WAF rules to block suspicious RSC payloads; apply rate-limiting.	High
2	Execution	Command & Scripting Interpreter — JavaScript / Node.js (T1059.007), PowerShell (T1059.001)	Exploitation leads to system command execution through `child_process.execSync` or PowerShell `-enc`/`IEX`.	App/server logs showing Node spawning `curl`, `wget`, or PowerShell; PowerShell with `-enc`, `DownloadString`, or `IEX`.	Enable EDR and process auditing; restrict Node.js runtime privileges; monitor command-line arguments.	High
3	Execution (Validation)	Command & Scripting Interpreter — T1059	Exploit scripts use deterministic math or echo commands to confirm RCE success before deploying payloads.	Low-noise arithmetic POSTs (e.g., `40138*41979`), deterministic numeric output in HTTP response.	Alert on repeated arithmetic requests; block or throttle after thresholds.	High
4	Command and Control	Ingress Tool Transfer (T1105)	Attackers fetch stage-2 payloads using `curl`, `wget`, or PowerShell `IEX`/`New-Object WebClient`.	Outbound HTTP traffic to uncommon IPs/ports (e.g., `652/tcp`); process args containing `curl`, `wget`, or PowerShell download patterns.	Apply strict egress filtering; enforce outbound allowlists; disable unnecessary web client modules.	High
5	Defense Evasion	Impair Defenses (T1562.001), Obfuscated Files or Information (T1027)	Post-exploitation scripts attempt AMSI bypasses and use Base64 encoding or reflection-based evasion.	AMSI tamper logs; PowerShell reflection on `AmsiUtils`; script-block logging showing encoded payloads.	Enforce PowerShell ConstrainedLanguageMode; enable AMSI & script-block logging; EDR detection for AMSI tampering.	Medium
6	Credential Access / Impact	OS Credential Dumping (T1003), Resource Hijacking (T1496)	Attackers deploy `xmrig` miners, extract system credentials, and create persistence through cron or services.	Elevated CPU usage; unauthorized cron jobs; suspicious outbound connections to mining pools; `/etc/passwd` access attempts.	Host containment; rotate credentials; block mining pools; implement process whitelisting.	High
7	Reconnaissance	Active Scanning (T1595)	Automated scanners and botnets probe for vulnerable RSC endpoints using Go or Python clients.	Large-scale POST requests, scanner user-agents (`Go-http-client/1.1`, `Assetnote/1.0.0`), rapid IP changes.	Use WAF + blocklists (GreyNoise/vendor feeds); deploy honeypots for early detection.	High
8	Lateral Movement / Credential Abuse	Valid Accounts: Cloud Accounts (T1078.004), Use Alternate Authentication Material: Application Access Token (T1550.001)	Stolen credentials or tokens reused for cloud lateral movement and privilege escalation.	IAM anomalies, new API key issuance, unexpected STS token usage or metadata service access.	Enforce least privilege; enable MFA; rotate keys frequently; monitor IAM activity logs.	Medium

Indicators of Compromise (Defanged / Require Vendor Verification)

URLs: hxxp://23[.]235[.]188[.]3:652/qMqSb
IPs: 206[.]237[.]3[.]150, 45[.]77[.]33[.]136, 143[.]198[.]92[.]82, 183[.]6.80.214
HTTP patterns: Flight payloads with "$@", "status\":\"resolved_model\"", "_formData" and headers next-action, rsc-action-id.
(Medium confidence — vendor telemetry pending.)

Risk Assessment

Risk Evaluation Summary

Category	Evaluation
Severity	Critical (unauthenticated RCE over network)
Exposure	Widespread due to React/Next.js adoption
Likelihood	High — public PoCs + active scanning
Impact	Server takeover → credential theft, lateral movement, cryptomining
Overall Risk	CRITICAL / CVSS 10.0

Recommended Actions

Patch Immediately (P0) – Upgrade to React ≥ 19.2.1 and Next.js ≥ 16.0.7.
Enable WAF Rules (P1) – Block Flight payload markers ($@, _formData); apply AWS WAF v1.24+ or equivalent.
Detection & Hunting (P1) – Log analysis for RSC requests and Node.js spawning shells; monitor PowerShell -enc/IEX.
Validate and Block IoCs (P2) – Use GreyNoise/vendor lists but confirm telemetry before enforcement.
Incident Response (P0 if compromised) – Isolate host, collect forensics, rotate credentials, review persistence.
Developer Guidance (P1) – Avoid testing PoCs in production; audit CI artifacts for committed payloads.

Gaps / Next Steps

Obtain raw telemetry from GreyNoise, AWS MadPot, JFrog, Wiz for IoC confirmation.
Expand npm registry monitoring for typosquats.
Continue active hunting for Flight-pattern requests and unusual Node process chains.
Conduct forensic review on any suspected host and apply credential rotation.

References

React Security Advisory (Dec 2025)
Next.js GHSA-2025-RSC-001
ProjectDiscovery Nuclei Template CVE-2025-55182.yaml
AssetNote Scanner write-up
GreyNoise, AWS MadPot, JFrog Blogs
CSO Online coverage of React2Shell

‍