OP 09 December, 2025 - 01:08 AM
═══════════════════════════════════════════════════════════
REACT2SHELL (CVE-2025-55182)
Critical Unauthenticated RCE in React Server
Components
CVSS Score: 10.0 (MAXIMUM SEVERITY)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? TABLE OF CONTENTS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? EXECUTIVE SUMMARY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
React2Shell is a CVSS 10.0
unauthenticated remote code execution vulnerability in
React Server Components (RSC) and the Flight protocol,
affecting React 19.x and Next.js 15-16.
The vulnerability stems from unsafe deserialization
combined with server-side prototype pollution,
allowing attackers to execute arbitrary JavaScript on
vulnerable servers with no authentication required.
⚡ THIS IS A LOG4SHELL-SCALE EMERGENCY
PATCH IMMEDIATELY
Key Impact Points:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? VULNERABILITY OVERVIEW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
What is React Server Components (RSC)?
React Server Components represent a paradigm shift
in React applications. Introduced in React 19, RSC allows
developers to render component trees on the server and
serialize them to the client via the Flight protocol.
The Flight protocol uses custom serialization and
deserialization to transmit RSC payloads between server
and client. Unlike JSON, the Flight codec handles complex
object graphs and promises, making it powerful but
dangerous if not carefully implemented.
How RSC/Flight is Exposed
In Next.js 15/16 with App Router (the
default), any application automatically exposes an RSC
endpoint that listens for incoming Flight protocol requests.
The endpoint is accessible at any route by including
the Next-Action header in HTTP POST requests.
Critical Point: Even if a
developer never explicitly defined any server actions, the
vulnerability still exists. A blank Next.js application is
fully exploitable without any additional code.
Root Cause: Where the Vulnerability Lives
The vulnerability exists in the deserialization
logic of the Flight protocol codec, specifically in the
react-server-dom-* packages (webpack, turbopack,
parcel variants).
The Core Issue: The
decoder fails to properly validate object structure and
types during reconstruction.
This is a textbook example of server-side
prototype pollution with gadget chain exploitation—the
same vulnerability class that devastated frontend security,
now on the backend.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? ROOT CAUSE ANALYSIS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
The Vulnerable Code Pattern
The vulnerability manifests in the getOutlinedModel
function, which reconstructs objects from reference strings
in the Flight protocol:
THE PROBLEM: The loop
allows unrestricted traversal through any property chain. By
crafting a reference like $1:__proto__:then, an attacker can
access and modify the prototype chain of objects during
deserialization.
Deserialization Process
When the Flight protocol payload arrives on the
server, it's structured as multipart form data. Each
form field contains a serialized chunk — either a JSON
object, a reference string, or special markers.
Deserialization Steps:
The Promise Chain Trigger
A critical aspect of the vulnerability involves
how promises are handled in the deserialization. When a
chunk is marked as a promise (via the $@ prefix), the
deserializer creates a pending promise and later resolves it.
Attackers can craft a malicious object whose
.then() property points to a gadget chain that, when
invoked, executes the Function constructor with attacker-
controlled code.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚙️ PAYLOAD STRUCTURE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Anatomy of a Working PoC Payload
Here's a simplified breakdown of how a working
exploit payload is structured. Modern payloads use several
chunks that reference each other in a carefully crafted
sequence:
Payload Walkthrough
Alternative Gadget Chains
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? EXPLOITATION MECHANICS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Basic Exploitation Flow
Real-World Command Examples
Reconnaissance Commands:
Credential Harvesting:
Malware Deployment:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? REAL-WORLD ATTACK SCENARIOS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
The Exploitation Timeline
This is the fastest weaponization of a web RCE
vulnerability in recent history.
China-Nexus APT Activity
According to Wiz, AWS, and Datadog telemetry,
China-linked threat groups began exploitation within 24
hours of PoC availability:
Attack Pattern 1: Credential
Harvesting
Attack Pattern 2: Cloud Metadata
Access
Attack Pattern 3: Cryptominer
Deployment
Attack Pattern 4: Persistent
Backdoor (Sliver)
Known Infrastructure & IOCs
Malware Hosting Servers:
C2 & Infrastructure Domains:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
?️ DETECTION & EVASION
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Detection Methods
Signature-Based Detection
Characteristic HTTP Headers:
Payload Signatures:
WAF Detection Rules:
Host-Level Indicators:
Evasion Techniques
1. WAF Padding/Junk Data
- Prepend large junk data to bypass WAF body inspection
limits.
2. Alternative Reference Syntaxes
- Use variations like $1:["__proto__"]["then"] or hex-
encoded property names.
3. Obfuscated Command
Execution - Use eval, Function(), or base64
encoding to hide commands.
4. Vercel WAF Bypass
- Use alternative multipart structures and form field
ordering.
5. Chunked/Distributed
Payloads - Spread gadget chain across multiple
chunks with obfuscated references.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? MITIGATION & PATCHING
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
IMMEDIATE ACTIONS (TODAY):
SECONDARY ACTIONS (WITHIN 48
HOURS):
ONGOING ACTIONS (DAYS 3-7):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? POC RESOURCES & TOOLS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
OFFICIAL INFORMATION &
DISCLOSURES
TECHNICAL ANALYSIS & DEEP
DIVES
PROOF-OF-CONCEPT EXPLOITS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠️ FINAL WARNINGS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
THIS VULNERABILITY IS:
Actively Exploited in Wild
═══════════════════════════════════════════════════════════
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? TABLE OF CONTENTS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
- Executive Summary
- Vulnerability Overview
- Root Cause Analysis
- Payload Structure & Gadget Chain
- Exploitation Mechanics
- Real-World Attack Scenarios
- Detection & Evasion
- Mitigation & Patching
- PoC Resources & Tools
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? EXECUTIVE SUMMARY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
React2Shell is a CVSS 10.0
unauthenticated remote code execution vulnerability in
React Server Components (RSC) and the Flight protocol,
affecting React 19.x and Next.js 15-16.
The vulnerability stems from unsafe deserialization
combined with server-side prototype pollution,
allowing attackers to execute arbitrary JavaScript on
vulnerable servers with no authentication required.
⚡ THIS IS A LOG4SHELL-SCALE EMERGENCY
PATCH IMMEDIATELY
Key Impact Points:
- Zero Authentication Required
- Exploitable with single HTTP POST request
-
- Default Configuration Exposure
- Vulnerable by default in Next.js App Router
-
- Maximum Severity
- CVSS 10.0 with full RCE capabilities
-
- Actively Weaponized
- Working PoCs available within 48 hours
-
- Nation-State Deployment
- Confirmed China-nexus APT exploitation
-
- Widespread Internet Exposure
- Thousands of vulnerable instances identified
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? VULNERABILITY OVERVIEW
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
What is React Server Components (RSC)?
React Server Components represent a paradigm shift
in React applications. Introduced in React 19, RSC allows
developers to render component trees on the server and
serialize them to the client via the Flight protocol.
The Flight protocol uses custom serialization and
deserialization to transmit RSC payloads between server
and client. Unlike JSON, the Flight codec handles complex
object graphs and promises, making it powerful but
dangerous if not carefully implemented.
How RSC/Flight is Exposed
In Next.js 15/16 with App Router (the
default), any application automatically exposes an RSC
endpoint that listens for incoming Flight protocol requests.
The endpoint is accessible at any route by including
the Next-Action header in HTTP POST requests.
Critical Point: Even if a
developer never explicitly defined any server actions, the
vulnerability still exists. A blank Next.js application is
fully exploitable without any additional code.
Root Cause: Where the Vulnerability Lives
The vulnerability exists in the deserialization
logic of the Flight protocol codec, specifically in the
react-server-dom-* packages (webpack, turbopack,
parcel variants).
The Core Issue: The
decoder fails to properly validate object structure and
types during reconstruction.
- No Type Checking - The getOutlinedModel
function allows unconstrained traversal through object
properties via reference syntax like $1:__proto__:then
-
- Prototype Pollution Window - By
manipulating the __proto__ chain during deserialization,
attackers can pollute the prototype of objects in sensitive
contexts
-
- Function Constructor Gadget - The
native Function() constructor is accessible as
Array.constructor.constructor and can be invoked via
object traversal
This is a textbook example of server-side
prototype pollution with gadget chain exploitation—the
same vulnerability class that devastated frontend security,
now on the backend.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? ROOT CAUSE ANALYSIS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
The Vulnerable Code Pattern
The vulnerability manifests in the getOutlinedModel
function, which reconstructs objects from reference strings
in the Flight protocol:
Code:
function getOutlinedModel(response, reference,
parentObject, key, map) {
var id = parseInt(
(reference = reference.split(":"))[0], 16);
switch (
("resolved_model" ===
(id = getChunk(response, id)).status &&
initializeModelChunk(id),
id.status)
) {
case "fulfilled":
for (
key = 1, parentObject = id.value;
key < reference.length;
key++
)
parentObject = parentObject[reference[key]];
return map(response, parentObject);
}
}THE PROBLEM: The loop
allows unrestricted traversal through any property chain. By
crafting a reference like $1:__proto__:then, an attacker can
access and modify the prototype chain of objects during
deserialization.
Deserialization Process
When the Flight protocol payload arrives on the
server, it's structured as multipart form data. Each
form field contains a serialized chunk — either a JSON
object, a reference string, or special markers.
Deserialization Steps:
- Parse Form Fields - Each field (0, 1,
2, ...) is parsed and registered as a chunk
-
- Resolve Root Chunk - Deserialization
begins with a designated root chunk (e.g., chunk 0)
-
- Process References - When a chunk
contains a reference string (e.g., $1), the deserializer
resolves it
-
- Traverse Property Chain - If the
reference contains property accessors (e.g., $1:foo:bar),
the deserializer traverses: chunk_1.foo.bar
-
- Invoke Handlers - Special reference
prefixes trigger custom handlers that can execute functions
-
- Return Final Value - The reconstructed
object is returned to the application
The Promise Chain Trigger
A critical aspect of the vulnerability involves
how promises are handled in the deserialization. When a
chunk is marked as a promise (via the $@ prefix), the
deserializer creates a pending promise and later resolves it.
Attackers can craft a malicious object whose
.then() property points to a gadget chain that, when
invoked, executes the Function constructor with attacker-
controlled code.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚙️ PAYLOAD STRUCTURE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Anatomy of a Working PoC Payload
Here's a simplified breakdown of how a working
exploit payload is structured. Modern payloads use several
chunks that reference each other in a carefully crafted
sequence:
Code:
Field 0: {
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "...",
"_response": "$4"
}
Field 1: { /* placeholder chunk */ }
Field 2: "$@3" /* Promise marker */
Field 3: [] /* Empty array becomes Function() */
Field 4: {
"_prefix": "process.mainModule.require('child_process')
.execSync('COMMAND');",
"_formData": {
"get": "$3:constructor:constructor"
}
}Payload Walkthrough
- Phase 1: Chunk Registration - All form
fields are parsed and stored in a chunk map with IDs and
metadata.
-
- Phase 2: Root Deserialization Begins -
Starts with chunk 0 containing reference to $1:__proto__:then
-
- Phase 3: Prototype Pollution - When
resolving $1:__proto__, the deserializer accesses the
__proto__ property of chunk 1, polluting the shared prototype
-
- Phase 4: Promise Chain Setup - Chunk 0's
then property is set to the polluted handler. When processed,
.then() is called.
-
- Phase 5: Function Constructor Access -
$3:constructor:constructor resolves to the native Function
constructor
-
- Phase 6: Code Execution - The malicious
.then() handler invokes the gadget chain, calling Function()
with attacker code
Alternative Gadget Chains
- child_process.execSync() - Direct
command execution (most common)
- child_process.exec() - Async command
execution
- fs.readFileSync() - File read gadget
- vm.runInThisContext() - JavaScript
execution in current context
- Module.require() - Dynamic module
loading for further exploitation
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? EXPLOITATION MECHANICS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Basic Exploitation Flow
- Target Identification - Identify targets
running vulnerable Next.js or React RSC versions
-
- Craft Payload - Generate malicious
Flight protocol payload with embedded commands
-
- Deliver Payload - Send as multipart
form POST request with Next-Action header
-
- Server-Side Processing - Vulnerable
server deserializes payload and executes code
-
- Command Execution - Runs with Node.js
process privileges
-
- Post-Exploitation - Establish reverse
shell, dump secrets, deploy malware
Real-World Command Examples
Reconnaissance Commands:
Spoiler:
Credential Harvesting:
Spoiler:
Malware Deployment:
Spoiler:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? REAL-WORLD ATTACK SCENARIOS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
The Exploitation Timeline
- December 3, 2025 - Vulnerability
disclosed by Meta/Facebook
- December 4 (Morning) - Working PoC
released by Moritz Sanft
- December 4 (Evening) - Lachlan Davidson
releases refined PoC
- December 4 (Night) - Metasploit module
published
- December 5 - 800+ unique IPs scanning
for vulnerability
- December 5 - Weaponized payloads
observed in the wild
- December 5 - CISA adds to Known
Exploited Vulnerabilities list
This is the fastest weaponization of a web RCE
vulnerability in recent history.
China-Nexus APT Activity
According to Wiz, AWS, and Datadog telemetry,
China-linked threat groups began exploitation within 24
hours of PoC availability:
Attack Pattern 1: Credential
Harvesting
- Establish reverse shell within Node.js
process
- Enumerate environment variables for secrets
(AWS keys, tokens, database passwords)
- Recursively scan filesystem for sensitive
files
- Dump /etc/passwd and other sensitive system
files
- Exfiltrate findings to attacker infrastructure
Attack Pattern 2: Cloud Metadata
Access
- Probe for cloud metadata endpoints
(169.254.169.254)
- Retrieve IAM role credentials with broad
permissions
- Pivot to cloud infrastructure (S3, RDS,
Lambda, etc.)
- Escalate privileges and move laterally
Attack Pattern 3: Cryptominer
Deployment
- Download XMRig (Monero cryptominer) from
attacker infrastructure
- Execute with attacker-controlled Monero wallet
address
- Establish persistence (nohup /var/tmp/crond)
- Some variants use UPX-packed binaries and
privilege escalation (CVE-2021-4034)
Attack Pattern 4: Persistent
Backdoor (Sliver)
- Download Sliver C2 payload from dynamic DNS
infrastructure
- Execute from writable temporary directory
(/tmp, /var/tmp)
- Establish encrypted C2 communication with
attacker infrastructure
- Enable interactive remote access for operator-
driven exploitation
Known Infrastructure & IOCs
Malware Hosting Servers:
Spoiler:
C2 & Infrastructure Domains:
Spoiler:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
?️ DETECTION & EVASION
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Detection Methods
Signature-Based Detection
Characteristic HTTP Headers:
- Next-Action header present in POST requests
- Content-Type: multipart/form-data
- Requests to known RSC paths: /, /_next/data/,
/api/rsc
Payload Signatures:
- References containing __proto__: chain
- References with constructor:constructor
pattern
- _prefix field containing shell commands
(execSync, exec, spawn)
- _formData containing get property
WAF Detection Rules:
Spoiler:
Host-Level Indicators:
- Unexpected shell processes (bash, sh, zsh,
PowerShell) spawned from Node.js
- curl/wget processes executed by Node.js
- Unexpected file modifications in /tmp or
/var/tmp
- Unusual environment variable access or
exfiltration
- Reverse shell connections from Node.js
process
Evasion Techniques
1. WAF Padding/Junk Data
- Prepend large junk data to bypass WAF body inspection
limits.
2. Alternative Reference Syntaxes
- Use variations like $1:["__proto__"]["then"] or hex-
encoded property names.
3. Obfuscated Command
Execution - Use eval, Function(), or base64
encoding to hide commands.
4. Vercel WAF Bypass
- Use alternative multipart structures and form field
ordering.
5. Chunked/Distributed
Payloads - Spread gadget chain across multiple
chunks with obfuscated references.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? MITIGATION & PATCHING
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
IMMEDIATE ACTIONS (TODAY):
- Identify Affected Versions - Check
package.json for vulnerable versions of Next.js and React
RSC packages
-
- Upgrade to Patched Versions - Next.js:
15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, 16.0.7+
| React RSC packages: 19.0.1, 19.1.2, 19.2.1
-
- Deploy Patches - Do not wait for
normal release cycles. This is a security emergency.
SECONDARY ACTIONS (WITHIN 48
HOURS):
- Rotate Secrets & Credentials - Assume
all environment variables are compromised if server was
exposed
-
- Security Audit & Incident Response -
Review logs for POST requests with Next-Action headers and
shell process execution
-
- WAF & Network Hardening - Deploy rules
to block exploitation attempts and rate limit RSC endpoints
ONGOING ACTIONS (DAYS 3-7):
- Post-Breach Investigation - If
compromise suspected, engage incident response team and
collect forensic evidence
-
- Long-Term Security Improvements -
Implement least privilege, restrict outbound network access,
deploy RASP solutions
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
? POC RESOURCES & TOOLS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
OFFICIAL INFORMATION &
DISCLOSURES
- React2Shell Official Site:
https://react2shell.com
- NVD CVE-2025-55182:
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
- CISA Known Exploited Vulnerabilities:
Confirmed KEV (Dec 5, 2025)
- Vercel Security Bulletin:
https://vercel.com/blog/resources-for-protecting-
against-react2shell
TECHNICAL ANALYSIS & DEEP
DIVES
- Wiz Research Report:
https://www.wiz.io/blog/nextjs-cve-2025-55182-
react2shell-deep-dive
- Datadog Security Labs:
https://securitylabs.datadoghq.com
- Rapid7 Exploit Rating:
https://www.rapid7.com/blog
- AWS Security Blog:
https://aws.amazon.com/blogs/security/
PROOF-OF-CONCEPT EXPLOITS
- Lachlan Davidson's PoC:
https://github.com/lachlan2k/React2Shell-CVE-2025-55182-
original-poc
- Assetnote React2Shell Scanner:
https://github.com/assetnote/react2shell-scanner
- Metasploit Module:
exploit/multi/http/react2shell_cve_2025_55182
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠️ FINAL WARNINGS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
THIS VULNERABILITY IS:
- CVSS 10.0 - Maximum severity
- Unauthenticated - No credentials
needed
- Default-Vulnerable - Exploitable on
blank applications
- Trivially Exploitable - Single HTTP
POST request achieves RCE
- Weaponized - Working PoCs, Metasploit
modules, automated scanners
- Actively Exploited - Confirmed in-the-
wild by nation-state groups
═══════════════════════════════════════════════════════════
IF YOU RUN REACT SERVER
DO NOT:
DO:
COMPONENTS IN PRODUCTION:
═══════════════════════════════════════════════════════════
DO NOT:
- ❌ Wait for normal patch deployment windows
- ❌ Assume your server is secure because it's
not publicly listed
- ❌ Rely solely on WAF/firewall protection
- ❌ Skip credential rotation if previously
exposed
DO:
- ✅ Patch immediately (today if possible)
- ✅ Assume breach if server was exposed before
Dec 3 at any point
- ✅ Rotate all secrets and credentials
immediately
- ✅ Deploy detection rules and WAF
protections
- ✅ Monitor outbound network traffic from
application servers
═══════════════════════════════════════════════════════════
Document compiled from authoritative
sources including Meta, Vercel, AWS, Wiz, Datadog, Rapid7, and
active threat intelligence.
sources including Meta, Vercel, AWS, Wiz, Datadog, Rapid7, and
active threat intelligence.
Last updated December 8, 2025
═══════════════════════════════════════════════════════════
![[Image: horusgif2.gif]](https://i.ibb.co/s46fn3G/horusgif2.gif)
paid ad - 05/15/2026
[Selling Signature Ad Space - DM Me]
![[Image: C2NgFpu.gif]](https://i.imgur.com/C2NgFpu.gif)
![[Image: uWztodn.gif]](https://i.imgur.com/uWztodn.gif)
![[Image: wow.gif]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fstatic.cracked.st%2Fimages%2Fsmilies%2Fwow.gif)
![[Image: WEcKbCO.png]](https://i.imgur.com/WEcKbCO.png)