CVE-2025-55182, commonly referred to as React2Shell, is a critical pre-authentication remote code execution (RCE) flaw impacting React Server Components (RSC), Next.js, and related frameworks. The bug sits in the way affected versions parse and trust serialized payloads sent via the Flight protocol. With a CVSS score of 10.0, the vulnerability allows a single HTTP request to trigger arbitrary Node.js execution on the server, without user interaction and without authentication. Public proof-of-concept exploit code is already in circulation, default installs are exposed, and exploitation has been observed across Windows and Linux platforms including containerized environments.
Where the vulnerability sits in the stack
React Server Components allow UI logic to execute partly on the server. A client request sends a serialized payload over the Flight protocol, the server deserializes it, runs server-side logic, and returns the resulting component tree. Affected versions of React and Next.js fail to validate the structure and content of incoming payloads before deserializing them. This results in:
• Prototype pollution inside object graphs used by RSC
• Injection of attacker-controlled object properties into execution paths
• Arbitrary server-side behavior invoked during component resolution
Node.js ultimately executes code paths influenced by polluted objects, giving the attacker execution inside the application process. Once code runs, the application context becomes a post-exploitation environment rather than a web layer.
What the malicious payload actually does
In real-world exploitation, the attacker sends a POST request containing a crafted serialized object. That payload manipulates internal RSC structures and injects malicious constructs that React incorrectly treats as valid serialized component data. This causes the backend to:
• Deserialize attacker-controlled structures
• Hydrate them into live JavaScript objects
• Trigger function calls or imports under Node.js
• Execute code the attacker controls
Because this occurs before authentication, the attack path is exposed to anyone who can reach the vulnerable service. There is no dependency on session state or user permissions.
Why default configurations are exposed
Many security issues depend on developer mistakes. React2Shell does not. The default dependency chains ship with the affected behavior enabled. That means:
• Developers do not need to misconfigure anything
• The bug exists even in new projects
• CI/CD pipelines may auto-pull vulnerable versions
• Containers inherit the flaw silently
Attackers only need a reachable endpoint that uses RSC.
Post-exploitation techniques observed
Once execution is achieved, attackers typically test code execution with simple commands such as whoami or file touch operations, then progress to:
• Reverse shells into Cobalt Strike or similar infrastructures
• Dropping RATs such as VShell and EtherRAT
• Deploying SNOWLIGHT loaders for stage-two payload delivery
• Persisting through new user creation and SSH key insertion
• Enabling root login on Linux systems
• Installing RMM tooling like MeshAgent
Some operators deploy XMRig cryptominers immediately if the environment is not visibly monitored.
Attackers also abuse bind mounts and hidden directories to conceal tools and logs. Cloudflare Tunnel endpoints (for example *.trycloudflare.com) have been used for payload staging and command channels.
Credential and token harvesting activity
Because React applications frequently run adjacent to sensitive workloads, attackers often pivot straight into credential discovery. Observed behavior includes:
• Querying Azure IMDS for instance tokens
• Querying AWS, GCP, and Tencent metadata endpoints
• Running TruffleHog and Gitleaks for repo-based secrets
• Pulling environment variables for embedded API keys
• Targeting OpenAI keys, Databricks tokens, and Kubernetes service account tokens
• Using Azure CLI (az) and Azure Developer CLI (azd) to enumerate and acquire tokens
From there, lateral movement into cloud control planes and downstream services is possible.
Container-specific exposure patterns
Many vulnerable deployments run in containers. Execution inside a container does not automatically stop an attacker. Risk depends on:
• Host namespace isolation
• Privileged container status
• Volume mounts
• Network segmentation
• Runtime defenses
Weakly isolated containers give attackers paths to host-level compromise.
Detection patterns security teams should expect
Telemetry tied to React2Shell compromises commonly includes:
• Suspicious Node.js process behavior
• Node-spawned shells
• Encoded PowerShell execution
• Unexpected service creation
• Cryptocurrency miner execution
• Process injection alerts
• Kerberos ticket abuse
• Secret discovery patterns
• Hands-on-keyboard lateral movement
Reverse shell strings, /dev/tcp/, base64 decoding chains, and bash -i patterns are frequent.
Identifying whether you are exposed
Security teams can audit application directories for packages such as:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopacknext
Then validate versions against affected releases, including:
- React 19.0.0 through 19.2.0
- Next.js 15.x, early 16.x, and late 14.x canary builds (specific ranges apply)
If versions match, treat the application as exploitable.
Patch strategy
Patching removes the attack path. Fixed versions include:
- React 19.0.1, 19.1.2, 19.2.1
- Next.js 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
Framework-level updates must be verified to pull corrected dependency trees. Internet-facing workloads should be upgraded first.
Hardening and compensating controls
Until fully patched, teams should:
• Monitor Node.js parent processes for suspicious child execution
• Flag outbound connections from web processes
• Centralize logs across endpoint, container, and cloud
• Apply Web Application Firewall signatures where feasible
• Accelerate triage of encoded command alerts
• Validate integrity of SSH authorized_keys
• Review for unauthorized RMM installation
• Audit root login configuration
High-fidelity detection begins with correlation across telemetry layers. Single alerts rarely tell the whole story.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Netizen Blog and News 
Leave a comment