React2Shell (CVE-2025-55182) is a critical RSC vulnerability that enables unauthenticated remote code execution on affected React servers via a crafted HTTP POST with malicious multipart/form-data. Zscaler observed thousands of exploitation attempts shortly after disclosure and recommends immediate patching, dependency verification, and runtime protections to mitigate risk. #React2Shell #CVE-2025-55182
Keypoints
- CVE-2025-55182 (React2Shell) is a critical deserialization flaw in React Server Components (Flight protocol) allowing unauthenticated RCE via a malicious HTTP POST request.
- Over 4,100 exploitation attempts were observed within the first two hours after disclosure, including activity attributed to a China-based threat actor.
- The root cause is prototype chain exploitation in the getOutlinedModel function; the patch adds hasOwnProperty checks to prevent accessing inherited properties.
- Impacted packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack — developers must update to the patched versions and verify package-lock.json/yarn.lock.
- Next.js was initially assigned a separate CVE (CVE-2025-66478) which was later rejected as a duplicate, though some Next.js releases that bundle affected React components are indirectly impacted.
- Zscaler deployed protections (AppProtection6000412) and recommends clearing caches, reinstalling dependencies (npm ci), rebuilding, deploying fixes, enabling temporary WAF rules, and adding runtime/process monitoring.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Attackers trigger unauthenticated remote code execution on servers by sending crafted HTTP POST requests to the Flight protocol endpoint (‘can be triggered by a malicious HTTP POST request’ / ‘allows unauthenticated remote code execution (RCE) on impacted servers’).
- [T1059 ] Command and Scripting Interpreter – Successful exploitation results in unauthorized shell execution and spawning of child processes (e.g., bash, sh, cmd.exe, powershell.exe) from the Node.js runtime (‘unexpected child processes spawned by Node.js, unauthorized shell commands’ / ‘spawning of shell processes (e.g., bash, sh, cmd.exe, powershell.exe)’).
- [T1071 ] Application Layer Protocol – The exploit is delivered and executed over HTTP(S) using multipart/form-data, leveraging application-layer requests to deliver malicious serialized payloads (‘triggered by a malicious HTTP POST request’ / ‘serialized data within multipart/form-data is trusted without proper validation’).
Indicators of Compromise
- [CVE ] vulnerability identifiers – CVE-2025-55182, CVE-2025-66478 (duplicate/rejected)
- [Package names ] impacted React RSC packages – react-server-dom-webpack, react-server-dom-parcel, and 1 more (react-server-dom-turbopack)
- [Software versions ] examples of impacted/patched releases – React react-server-dom* impacted versions (e.g., 19.0.0 → patched 19.0.1), Next.js impacted branches (e.g., 15.x, 16.x) and their listed patched versions
- [File names / manifests ] build and dependency files to inspect – package-lock.json, yarn.lock, node_modules
- [Detection signature ] Zscaler protection identifier – Zscaler Private Access AppProtection6000412
- [Artifacts / suspicious behaviors ] post-exploitation indicators to hunt for – web shells, modified files in application directories, and unexpected child processes or anomalous outbound connections