Wiz
Blog

React2Shell (CVE-2025-55182): Everything You Need to Know About the Critical React Vulnerability

Detect and mitigate React2Shell (CVE-2025-55182), critical RCE vulnerability in React and Next.js exploited in the wild. Organizations should patch urgently.

Gili Tikochinski, Merav Bar, Danielle Aminov

TL;DR:

  • CVE-2025-55182 is a critical unauthenticated RCE vulnerabilities in the React Server Components (RSC) "Flight" protocol.

  • Default configurations are vulnerable – a standard Next.js app created with create-next-app and built for production can be exploited with no code changes by the developer.

  • Exploitation requires only a crafted HTTP request. We've constructed a fully working RCE proof-of-concept that we're withholding for now, but our testing has shown near-100% reliability. UPDATE: Public RCE exploits are now available.

  • UPDATE: Exploitation has now been observed in the wild by Wiz Research, Amazon Threat Intelligence, Datadog and others.

  • UPDATE: Wiz Research has observed a post-exploitation pivot toward cloud credential harvesting and cryptocurrency mining

  • The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution.

  • Immediate patching is required. Hardened releases for React and Next.js are available.

  • Wiz Research data shows 39% of cloud environments contain vulnerable instances.

Technical Details

A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js. Assigned CVE-2025-55182, this flaw allows for unauthenticated remote code execution (RCE) on the server due to insecure deserialization. The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk. Due to the high severity and the ease of exploitation, immediate patching is required.

To maintain ecosystem safety while patches are applied, we are currently withholding specific details; the details provided here are intended solely to assist defenders in prioritizing remediation and understanding the risk. For for full technical analysis of the exploit see our deep-dive blogpost.

What is CVE-2025-55182?

UPDATE: CVE-2025-66478 has been rejected as a duplicate of CVE-2025-55182. This makes sense, as they both have the same root cause. However, this does not mean that detections of CVE-2025-66478 are false positives; the rejection simply means that CVE-2025-55182 covers both cases.

CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability in the react-server package used by React Server Components (RSC).

CVE-2025-66478 is the corresponding RCE vulnerability in Next.js, which inherits the same underlying flaw through its implementation of the RSC "Flight" protocol.

The vulnerability fundamentally resides in the react-server package and its handling of the RSC "Flight" protocol. It is characterized as a logical deserialization vulnerability where the server processes RSC payloads in an unsafe manner. When a server receives a specially crafted, malformed payload, it fails to validate the structure correctly. This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.

In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks.

Wiz Research data: what’s the risk to cloud environments?      

Wiz data indicates that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182. Regarding Next.js, the framework itself is present in 69% of environments. Notably, 61% of those environments have public applications running Next.js, meaning that 44% of all cloud environments have publicly exposed Next.js instances (regardless of the version running).

Exploitation in the wild

Wiz is tracking rapidly expanding exploitation of CVE-2025-55182 since the full proof of concept exploit became public. Our sensors have identified multiple victims compromised starting December 5 at 6:00 AM UTC, primarily targeting internet-facing Next.js applications and Kubernetes containers. We are continuing to hunt for post-exploitation activity and expect this exploit to be employed by both targeted and opportunistic campaigns. Our visibility confirms the public reporting from GreyNoise and others of significant adoption of this vulnerability. For full analysis of post-exploitation activity and IOC list see our deep-dive blogpost.

  • Wiz observed attackers establish shells to harvest credentials from environment variables, filesystems, and cloud instance metadata. In one compromised environment, Wiz identified an actor attempting to identify AWS credentials and Base64 encode them, likely in preparation for exfiltration.

  • At a separate cloud environment, exploitation was followed by a shell script that attempted to install the sliver malware framework.   

  • Wiz has identified multiple cryptomining campaigns that have each affected multiple customers. At this time, we are aware of at least six incidents and expect that to grow.

  • One campaign dropped a UPX packed version of the cryptominer XMRig. The earliest we have discovered occurred at 6:00 AM UTC on December 5th 

  • A second cryptominer campaign has downloaded the standard XMRig set up from Github, specifying their specific mining pool. 

  • Public reporting by GreyNoise has identified 95 IP addresses performing what they assess to be “opportunistic, largely automated exploitation attempts” beginning at 04:00 UTC on December 5th.

  • AWS reported that they identified multiple China-nexus groups experimenting with early public attempts at exploit code on December 4th, prior to the full PoC being released. Given this interest and past Chinese tactics, we expect a wide range of China-nexus actors to use this exploit in targeted intrusions. 

Which products are affected?

Vulnerable productPatched release
react-server-dom* (19.0.x, 19.1.x, 19.2.x)19.0.1, 19.1.2, and 19.2.1
Next.js with App Router (14.3.0-canary.77 and later canary releases, 15.x, 16.x)14.x stable, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Any framework or library bundling the react-server implementation is likely affected. This includes, but is not limited to:

  • Next.js

  • Vite RSC plugin

  • Parcel RSC plugin

  • React Router RSC preview

  • RedwoodSDK

  • Waku

Google has stated that public OS images provided by Google Cloud for Compute Engine are not affected by default.

Which actions should security teams take?

1. Upgrade React and dependencies to the hardened versions (see above). This is the only definitive mitigation.

2. if you are using other RSC-enabled frameworks (Redwood, Waku, etc.), check their official channels for updates regarding the bundled react-server version and update immediately.

How Wiz can help?

Use pre-built queries found in the advisory to detect vulnerable instances and evidence of malicious activity.

1. Identification & Visibility

  • ASM Validation: Wiz added exploitability validation through Wiz Attack Surface Management to confirm which services are actually exploitable, based on Wiz's exploit as well as public ones.

  • Security Graph:

    • Identify publicly exposed vulnerable VMs, Serverless functions, or Containers.

    • Correlate agentless vulnerability detections with technology detections validated by the ASM Scanner.

  • Vulnerability Findings: Filter to find all instances of the vulnerability or focus specifically on "critical issues."

  • SBOM Analysis: Use SBOM queries to inventory Next.js and RSC instances across the environment.

2. Prevention & Configuration

  • Wiz-CLI: Use the Command Line Interface to scan container images for these vulnerabilities before they are deployed.

  • Wiz Code:

    • Filter for findings with one-click remediation to automatically generate a Pull Request (PR) with fixes.

    • Create Code or CI/CD policies to block the vulnerability from being deployed or merged into repositories.

3. Detection & Runtime Defense

  • Wiz Sensor: Detect anomalous behavior or post-exploitation activities using both specially crafted rules and generic ones.

  • Wiz Defend:

    • Monitor for DNS queries indicating out-of-band application security testing (OAST) attempts (e.g., queries to *.oast[.]live or *.oastify[.]com).

    • Anomalous DNS queries originating from containers running Next.js.

    • Detections triggered by processes spawned by Next.js.

    • Investigate events related to specific IP addresses associated with known malicious activity (noting potential for false positives).

Worried you're being targeted through CVE-2025-55182 or CVE-2025-66478? Connect with the Wiz Incident Response team for assistance.

References

Tags
#Research#Security

Continue lendo

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades
Ver demonstração