React2Shell (CVE-2025-55182) is a critical unauthenticated RCE in React Server Components and Next.js App Router that was weaponized within hours of disclosure, prompting urgent mitigations and inclusion in CISA’s Known Exploited Vulnerabilities catalog. China-nexus groups including Earth Lamia and Jackpot Panda rapidly scanned and exploited vulnerable deployments, forcing providers like Cloudflare to apply emergency defenses. #React2Shell #CVE-2025-55182
Keypoints
- CVE-2025-55182 (React2Shell) is an unsafe deserialization vulnerability in the React Server Components Flight protocol enabling unauthenticated remote code execution across React 19.x and Next.js 15.x/16.x App Router deployments.
- PoCs published by researcher Lachlan Davidson (00-very-first-rce-poc, 01-submitted-poc.js, 02-meow-rce-poc) described an attack chain that creates a malicious fake Chunk object to achieve RCE.
- AWS telemetry and MadPot honeypots observed exploitation beginning within hours of public disclosure, with China-nexus actors such as Earth Lamia and Jackpot Panda rapidly weaponizing public PoCs.
- Attackers favored high-volume scanning using flawed public PoCs, which still exposed edge-case vulnerable configurations and led to both automated and manual exploitation attempts (e.g., whoami, id, /etc/passwd reads, file writes to /tmp/pwned.txt).
- Cloudflare took part of its network down intentionally to apply emergency mitigations to body parsing logic, affecting 28% of Cloudflare-served HTTP traffic while defending against widespread exploitation attempts.
<li Global authorities (CISA, ACSC) urged immediate patching, deployment of interim WAF rules, log review for malformed RSC payloads and headers (next-action, rsc-actionid), and inspection for post-exploitation indicators.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Exploited the React Server Components Flight protocol to achieve unauthenticated remote code execution (‘enabling unauthenticated remote code execution (RCE)’).
- [T1068 ] Exploitation for Privilege Escalation – Identified as a related privilege escalation technique in reporting and telemetry (‘Exploitation for Privilege Escalation’).
Indicators of Compromise
- [IP Address ] observed attacker infrastructure and concentrated scanning – 183[.]6.80.214, 206[.]237.3.150, and 2 more IPs.
- [File path ] post-exploitation and reconnaissance attempts – /tmp/pwned.txt, /etc/passwd (unauthorized reads/writes).
- [File name / PoC ] public proof-of-concept files used in exploitation and scanning – 00-very-first-rce-poc, 01-submitted-poc.js (and 02-meow-rce-poc).
- [HTTP headers ] indicators to review in logs for malformed RSC payloads – next-action, rsc-actionid.
Read more: https://cyble.com/blog/react2shell-cve-2025-55182-rapid-exploitation/