Full Report
Outpacing React2Shell using pre-breach alerts from Wiz ASM to eliminate exploitable risk before attackers find them
Analysis Summary
# Vulnerability: React2Shell Remote Code Execution (RCE) in React/Next.js
## CVE Details
- CVE ID: CVE-2025-55182, CVE-2025-66478
- CVSS Score: Critical (Specific score not provided, but described as critical unauthenticated RCE)
- CWE: Improper Deserialization
## Affected Systems
- Products: React applications, Next.js applications
- Versions: Not explicitly listed in the summary, but affected versions require patching.
- Configurations: Applications utilizing components vulnerable to improper deserialization.
## Vulnerability Description
The vulnerability, dubbed React2Shell, is a critical unauthenticated Remote Code Execution (RCE) flaw. It is exploitable by attackers sending a single HTTP request that leverages improper deserialization within the affected React/Next.js applications, potentially leading to full server compromise.
## Exploitation
- Status: Observed active exploitation attempts across environments immediately following disclosure.
- Complexity: Low (Implied by the mention of compromise occurring with a single HTTP request).
- Attack Vector: Network (Remote via HTTP request).
## Impact
- Confidentiality: High (Potential for full server compromise)
- Integrity: High (Potential for full server compromise)
- Availability: High (Potential for full server compromise/denial of service)
## Remediation
### Patches
- Patches were deployed as part of the Wiz Research Team's response following disclosure, triggering *Validated External Risk Issues*. Specific patch versions for React/Next.js are not detailed in this context, only the availability of a protective alert mechanism.
### Workarounds
- No specific technical workarounds are detailed in this summary, but the core mitigation strategy encouraged is the *immediate removal of exploitable risk* identified via ASM.
## Detection
- **Indicators of Compromise (IOCs):** Active exploitation attempts were observed across customer environments following disclosure.
- **Detection Methods and Tools:** Wiz Attack Surface Management (ASM) provided a dedicated rule for customers, generating "Validated External Risk Issues" (SOC-level alerts) that identified specific assets exploitable to CVE-2025-55182 from the internet, enabling proactive threat removal.
## References
- Official Disclosure Link (Defanged): `https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive`
- Wiz Blog discussing the solution (Defanged): `https://www.wiz.io/blog`