Full Report
We break down the exploit mechanics and detail active in-the-wild attacks observed by our team, from credential harvesting to sophisticated cloud backdoors.
Analysis Summary
# Vulnerability: React2Shell - Critical RCE via Deserialization in React Server Components
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: Not explicitly provided, but described as **critical RCE**. (Implies very high score $\ge 9.0$)
- CWE: Improper Input Deserialization
## Affected Systems
- Products: React Server Components (RSC) utilized by frameworks such as **Next.js** (specifically targeting applications using the `next-action` header), **Waku**, and **Vite** (when configured with RSC plugins).
- Versions: Unspecified, but affects deployments utilizing vulnerable RSC handling logic.
- Configurations: Applications using React Server Components, particularly those leveraging Next.js features like `next-action`.
## Vulnerability Description
The vulnerability, dubbed "React2Shell," is a critical Remote Code Execution (RCE) flaw stemming from **improper input deserialization** within React Server Components (RSC) payloads. Attackers can craft specific payloads that exploit this deserialization logic using "self-referencing 'gadget' chains" to execute arbitrary code on the server hosting the React application.
## Exploitation
- Status: **Exploited in the wild**. Observed attacks range from opportunistic credential harvesting and cryptomining to the deployment of sophisticated, persistent backdoors (e.g., Sliver implants).
- Complexity: Implied to be low enough for rapid, widespread exploitation observed immediately post-disclosure.
- Attack Vector: **Network** (Remote Code Execution).
## Impact
The impact of successful exploitation is severe, leading to unauthorized system access, data theft, and persistence:
- Confidentiality: **High** (Credential harvesting, environment variable dumping, key material theft, cloud metadata access).
- Integrity: **High** (Arbitrary code execution leading to system compromise).
- Availability: **High** (Potential for cryptomining or system disruption).
## Remediation
### Patches
- Specific patch versions are not listed in this summary, but organizations are urged to **patch urgently**. Refer to vendor advisories for specific fixed versions for Next.js, Waku, and Vite/RSC implementations.
### Workarounds
- No specific workarounds are detailed in this extract, but mitigation should focus on blocking malicious deserialization attempts or immediately updating the affected server components.
## Detection
- Indicators of Compromise (IOCs) include:
- Outbound connections to attacker-controlled infrastructure, especially `oast*.` domains, used for beaconing and command-and-control (C2).
- Execution of command-line utilities like `curl` or `nc` within application processes (Node.js/Next.js runtime) making external network calls.
- Discovery activity attempts such as enumeration of environment variables (`whoami`, dumping secrets prefixed with `AWS`, `TOKEN`, `SECRET`, etc.).
- Attempts to access the cloud metadata service at `169.254.169.254/latest/meta-data/`.
- Detection methods should involve monitoring network egress from application containers and inspecting process execution within the application runtime for suspicious shell commands.
## References
- Vendor Advisory (General): hXXps://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
- Technical Deep Dive: hXXps://www.wiz.io/blog/react2shell-cve-2025-55182-exploit-mechanics