React2Shell RCE Vulnerability: A Critical Threat to React and Next.js Ecosystems
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and termed React2Shell, is currently being actively exploited in the wild. This flaw resides within the React Server Components’ Flight protocol, posing significant risks to applications built on React and its associated frameworks, notably Next.js.
Understanding the React2Shell Vulnerability
The React2Shell vulnerability stems from an unsafe deserialization process within the React Server Components’ Flight protocol. Deserialization vulnerabilities occur when untrusted data is processed without adequate validation, potentially allowing attackers to execute arbitrary code on the server. In this case, the flaw enables unauthenticated remote code execution, meaning attackers can exploit it without needing valid credentials.
Active Exploitation and Attack Patterns
Security researchers from GreyNoise have observed a surge in automated exploitation attempts targeting this vulnerability. These attacks are characterized by:
– Automated Tools: The use of both contemporary and legacy systems to launch attacks, indicating a reliance on automated scripts and tools.
– Integration with Botnets: The incorporation of the React2Shell exploit into botnet frameworks like Mirai, suggesting a rapid adaptation by cybercriminals to leverage this vulnerability for widespread attacks.
Technical Breakdown of the Exploitation Process
The exploitation of React2Shell typically follows a multi-stage process:
1. Initial Validation: Attackers send PowerShell commands performing simple arithmetic operations (e.g., `powershell -c ‘4013841979’`) to confirm the ability to execute code remotely.
2. Payload Deployment: Upon successful validation, encoded PowerShell scripts are deployed. These scripts are designed to download and execute additional malicious payloads.
3. Bypassing Security Measures: The malicious scripts employ techniques to bypass Windows Antimalware Scan Interface (AMSI) by setting `System.Management.Automation.AmsiUtils.amsiInitFailed` to `true`, effectively disabling AMSI’s scanning capabilities.
Indicators of Compromise and Defensive Measures
Organizations should be vigilant for signs of exploitation, including:
– Unusual User Agents: Traffic from user agents such as `Go-http-client/1.1`, `Assetnote-tagged scanners on Chrome 60`, `Safari 17.2.1`, and tools like `aiohttp` and `python-requests`.
– Geographical Indicators: A significant concentration of attack sources from ASNs in the Netherlands, China, the United States, and Hong Kong, with nearly half of the malicious IPs first detected in December 2025.
Recommended Actions for Mitigation
To protect against the React2Shell vulnerability, organizations are advised to:
1. Immediate Patching: Update React Server Components and Next.js deployments to the latest versions that address this vulnerability.
2. Network Monitoring: Utilize tools like GreyNoise Block to identify and block IP addresses associated with exploitation attempts.
3. Endpoint Detection: Implement monitoring for PowerShell process creations, especially those involving encoded commands or AMSI bypass techniques.
4. Access Controls: Restrict access to critical systems and ensure that only authorized personnel can deploy or modify server components.
Conclusion
The React2Shell vulnerability represents a significant threat to applications built on React and Next.js frameworks. Given the active exploitation and integration into botnet infrastructures, it is imperative for organizations to act swiftly by applying patches, enhancing monitoring, and implementing robust security measures to mitigate potential attacks.
