Full Report
Wiz says React2Shell attacks accelerating, ranging from cryptominers to state-linked crews Half of the internet-facing systems vulnerable to a fast-moving React remote code execution flaw remain unpatched, even as exploitation has exploded into more than a dozen active attack clusters ranging from bargain-basement cryptominers to state-linked intrusion tooling.…
Analysis Summary
# Vulnerability: React2Shell Remote Code Execution Flaw
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: Not explicitly stated, but described as a **critical-severity flaw**
- CWE: Related to unsafe deserialization
## Affected Systems
- Products: React Server Components, dependent frameworks such as Next.js.
- Versions: Unspecified vulnerable versions (requires consulting specific vendor advisories for versions confirmed patched).
- Configurations: Internet-facing systems utilizing vulnerable React server-side packages.
## Vulnerability Description
The vulnerability, dubbed "React2Shell," is a Remote Code Execution (RCE) flaw stemming from **unsafe deserialization** within React's server-side packages. This flaw allows an unauthenticated attacker to achieve RCE by sending a crafted request to the affected server endpoint.
## Exploitation
- Status: **Actively exploited in the wild** (at scale, tracking 15 distinct intrusion clusters).
- Complexity: Implied **Low** given the exploit is unauthenticated and being used by commodity attackers (cryptominers) as well as sophisticated threat actors.
- Attack Vector: **Network** (unauthenticated access via crafted request).
## Impact
- Confidentiality: High (Attackers are observed exfiltrating secrets).
- Integrity: High (Full remote code execution allows for system compromise and malware deployment, including file infection).
- Availability: High (System compromise, potential denial of service via malware loading).
## Remediation
### Patches
- Specific patch versions are **not detailed in the source article**. Users must consult official React/Next.js advisories for the specific version updates that resolve CVE-2025-55182.
### Workarounds
- No specific vendor workarounds are detailed in the source, but immediate mitigation should focus on **blocking or filtering suspicious incoming HTTP requests** directed at React server endpoints until patching is complete.
## Detection
- **Indicators of Compromise (IOCs):**
- Observance of post-exploitation frameworks like Sliver C2 infrastructure.
- Presence of cryptomining malware (Kinsing, C3Pool).
- Custom loaders and JavaScript file injectors targeting server-side (\*.js) files.
- Campaigns exhibiting anti-forensics techniques (manipulating timestamps, log scrubbing).
- Activity overlapping with observed threat actor tooling associated with North Korean (Contagious Interview) or Chinese (BPFDoor/Red Menshen) groups.
- **Detection Methods and Tools:**
- Network monitoring for unusual outbound traffic patterns or connection attempts to known C2 infrastructure.
- Endpoint analysis detecting the deployment of custom loaders, miners, or backdoors (e.g., EtherRat variants).
- Application security scanning to identify unpatched React/Next.js versions.
## References
- Vendor Advisories: Consult official React and Next.js security bulletins for **CVE-2025-55182**.
- Relevant links - defanged:
- Wiz assessment reports.
- Palo Alto Networks Unit 42 analysis linking exploitation to state-linked groups.