Perceptive Security
SOC/SIEM Consultancy
React2Shell flaw (CVE-2025-55182) exploited for remote code execution
Published:
11 December 2025 at 18:07:12
Alert date:
11 December 2025 at 19:01:12
Source:
news.sophos.com
Web Technologies, Zero-Day Vulnerabilities, Ransomware & Malware, Supply Chain & Dependencies
The React2Shell vulnerability (CVE-2025-55182) is being actively exploited for remote code execution attacks. The flaw allows attackers to execute arbitrary code remotely on affected systems. Security researchers have identified exploit code that is publicly available, which increases the risk of widespread opportunistic attacks. Organizations using React2Shell should prioritize patching this critical vulnerability. The availability of working exploits makes this a high-priority security concern for defenders.
Technical details
React2Shell is a flaw in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 that affects how data sent from browser to server is handled via the React 'Flight' protocol. The vulnerability is caused by unsafe handling of incoming data during deserialization when server converts network requests into JavaScript objects. Due to insufficient validation, attackers can send specially crafted requests that bypass expected format validation, allowing interference with application code execution. Attackers can exploit this to execute arbitrary JavaScript with application privileges by sending a single malicious HTTP request without requiring authentication or credentials.
Mitigation steps:
Organizations operating internet-facing React infrastructure should prioritize patching CVE-2025-55182 immediately. Monitor for suspicious post-exploitation activity including rapid deployment of Linux loaders, persistence mechanisms via systemd/cron/rc.local, covert Node.js installations in hidden directories, network discovery activities, and exfiltration beacons. Use provided Sophos detections (Linux/DldrYI, Linux/AgntGA, Linux/AgntFZ, Linux/AgntGB, Linux/AgntGC, Linux/DldrYG) and monitor for the provided threat indicators.
Affected products:
React Server Components 19.0.0
React Server Components 19.1.0
React Server Components 19.1.1
React Server Components 19.2.0
Next.js (indirectly affected)
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://infosec.exchange/@shadowserver/115690544827801847
https://attack.mitre.org/techniques/T1543/002/
https://attack.mitre.org/techniques/T1053/003/
https://attack.mitre.org/techniques/T1037/004/
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/
https://www.secureworks.com/research/threat-profiles/bronze-snowdrop
https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks
Related CVE's:
Related threat actors:
IOC's:
gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh, 011a62df99e52c8b73e259284ab1db47, c3924fc5a90b6120c811eb716a25c168c72db0ba, fb3a6bdf98d5010350c04b2712c2c8357e079dec2d2a848d0dc2def2bafcc984, tsd.sh, 3ba7c58df9b6d21c04eaa822738291b60c65b7c8, init.sh, 88af4a140ec63a15edc17888a08a76b2, da33bda52e9360606102693d68316f4ec1be673e, 5a6fdcb5cf815ce065ee585a210c19d1c9efb45c293476554bf1516cc12a1bab, b.sh, 1e54a769e692a69d74f598e0b1fdb2949f242de3, hybird-accesskey-staging-saas[.]s3[.]dualstack[.]ap-northeast-1[.]amazonaws[.]com/agent, 194[.]38[.]11[.]3:1790, webhook[.]site, /usr/infju/system_os, /etc/cron.hourly/tsd, /var/log/system_os_management.log
This article was created with the assistance of AI technology by Perceptive.