Full Report
Wide exploitation of the vulnerability known as React2Shell has prompted CISA to reduce the amount of time federal agencies have to patch the bug.
Analysis Summary
# Vulnerability: React2Shell (CISA Known Exploited Vulnerability)
## CVE Details
- CVE ID: **CVE-2025-55182**
- CVSS Score: Not specified in the text, but CISA's expedited deadline suggests **Critical/High** severity.
- CWE: Not specified in the text.
## Affected Systems
- Products: **React Server Components** (A tool embedded in thousands of applications, including those built with server-rendered frameworks like Next.js).
- Versions: Unspecified, but impacts the `react-server-dom-*` packages directly in the request path on exposed web assets utilizing Server Components for server-side data fetching/layout composition.
- Configurations: Applications using React Server Components, particularly those relying on server-side rendering and partial page updates in public-facing entry points (homepages, articles, search results, etc.).
## Vulnerability Description
The vulnerability, dubbed React2Shell, impacts React Server Components. Initial analysis suggests that external assets running vulnerable React Server Components have the vulnerable `react-server-dom-*` packages directly in the request path on exposed web assets, allowing for exploitation. The specific nature of the flaw (e.g., RCE, deserialization) is not detailed, but observed attacks indicate unauthorized system access leading to malware deployment and data theft.
## Exploitation
- Status: **Exploited in the wild** (Confirmed by CISA, Unit 42, and other researchers).
- Complexity: Implied **Low/Medium** given the wide range of actors (opportunistic script abusers to sophisticated nation-state groups) leveraging automated scripts.
- Attack Vector: Network (targeting internet-accessible instances).
## Impact
- Confidentiality: **High** (Observed installation of backdoors associated with nation-state actors).
- Integrity: **High** (Observed execution of malware and unauthorized configuration changes, e.g., targeting AWS keys).
- Availability: **Medium/High** (Observed deployment of Mirai botnets and cryptominers).
## Remediation
### Patches
- **Action Required:** Federal agencies were initially given until December 26th, but CISA has since reduced this deadline, indicating urgent patching is necessary. *Specific patch versions are not provided in the text.*
### Workarounds
- **Mitigation:** CISA mandates that federal agencies must "check for signs of potential compromise on all internet accessible REACT instances **after applying mitigations**." (Specific technical mitigations other than patching are not detailed in this source).
## Detection
- Indicators of Compromise (IOCs):
- Presence of known malware strains being deployed via this vector: **Snowlight, Vshell, NoodlerRat, XMRIG, BPFDoor, Autocolor, Mirai, Supershell.**
- Cryptominer deployments.
- Installation of robust backdoors (including those linked to Red Menshen/China-linked groups).
- Installation of novel implants (e.g., Ethereum implant linked to DPRK actors).
- Suspicious activity targeting AWS configuration credentials.
- Detection Methods and Tools: Incident response analysis targeting the artifacts listed above on internet-facing web assets running React Server Components. Organizations should check for post-exploitation activity following mitigation application.
## References
- Vendor Advisories: Palo Alto Networks Unit 42 Advisory (Published Wednesday evening, December 11th).
- Relevant Links:
- CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Unit 42 reporting on exploitation (https://therecord.media/chinese-hackers-exploiting-react2shell-vulnerability-amazon)
- Sysdig reporting on DPRK exploitation (https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks?)