A critical insecure-deserialization vulnerability (CVE-2025-55182, aka React2Shell) in React Server Components enables unauthenticated remote code execution against React 19 and Next.js deployments and has been rapidly weaponized in the wild. Observed activity includes mass scanning and exploitation by China-nexus groups and opportunistic botnets, and mitigations include upgrading to patched versions and applying runtime protections such as those offered by Aqua. #CVE-2025-55182 #React2Shell
Keypoints
- CVE-2025-55182 (React2Shell) is an insecure deserialization flaw in React Server Components that allows a single HTTP request to execute arbitrary server-side code without authentication.
- The vulnerability received a CVSS score of 10.0 due to ease of exploitation, broad ecosystem reach (React 19 and Next.js), and the potential for full server takeover.
- Active exploitation was observed within hours of disclosure by China-nexus threat groups, large-scale botnets, and opportunistic actors using public PoCs and automated scanners.
- Aqua Nautilus deployed honeypots to capture real-world exploit attempts and analyze attacker behavior such as dropping shells, deploying cryptominers, and credential harvesting from environment variables.
- Affected versions include React 19.0.0–19.2.0 (patched in 19.0.1/19.1.2/19.2.1) and Next.js releases that integrate vulnerable RSC (patched in several 15.x and 16.0.7 releases).
- Recommended mitigations: upgrade to patched React/Next.js versions, rescan images and dependencies, enforce assurance policies, and apply runtime controls (e.g., Aqua runtime protections) to block code injection and suspicious behaviors.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Exploitation of an internet-facing server via a single HTTP request to achieve RCE (‘Any internet-facing server can be compromised with one HTTP request.’)
- [T1046 ] Network Service Scanning – Mass scanning activity and botnet-driven opportunistic discovery of vulnerable hosts (‘Massive Opportunistic Scanning’).
- [T1059 ] Command and Scripting Interpreter – Execution of arbitrary server-side code and dropping remote shells to run attacker-controlled commands (‘Execute arbitrary server-side code’, ‘Drop remote shells’).
- [T1552 ] Unsecured Credentials – Theft of secrets and tokens from environment variables post-exploitation for credential harvesting (‘Steal secrets and tokens from environment variables’).
- [T1071 ] Application Layer Protocol – Use of application-layer HTTP requests and likely C2/remote shell channels over HTTP for post-exploitation control (‘a single malicious HTTP request’ used to gain persistence and server footholds).
Indicators of Compromise
- [Software Versions ] vulnerable package versions and patched releases – React 19.0.0–19.2.0 (vulnerable), patched React 19.0.1/19.1.2/19.2.1; Next.js builds integrating RSC (patched in 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7).
- [Observed Actors/Infrastructure ] scanning and exploitation sources – China-nexus threat groups and mass-scanning botnets observed by AWS and GreyNoise (no specific IPs provided in article).
Read more: https://www.aquasec.com/blog/critical-cve-in-react-server-components-actively-exploited/