top of page
perceptive_background_267k.jpg

Critical Vulnerabilities in React and Next.js: everything you need to know

Published:

3 december 2025 om 15:57:17

Alert date:

5 december 2025 om 08:03:23

Source:

wiz.io

Click to open the original link from this advisory

Critical remote code execution vulnerabilities dubbed React2Shell affecting React and Next.js frameworks. Two CVEs identified: CVE-2025-55182 and CVE-2025-66478. These vulnerabilities pose significant risk to applications built with React and Next.js. Organizations are advised to patch urgently due to the critical nature of these RCE flaws. The vulnerabilities could allow attackers to execute arbitrary code on affected systems. Detection and mitigation strategies are essential for organizations using these popular JavaScript frameworks.

Technical details

CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability in React Server Components (RSC) Flight protocol. The flaw stems from insecure deserialization in RSC payload handling logic, allowing attacker-controlled data to influence server-side execution. When a server receives a specially crafted, malformed payload, it fails to validate the structure correctly, resulting in execution of privileged JavaScript code. Exploitation requires only a crafted HTTP request with near-100% reliability. Default configurations are vulnerable, meaning standard Next.js apps created with create-next-app are immediately exploitable.

Mitigation steps:

DNS queries to *.oast.live, DNS queries to *.oastify.com, UPX packed XMRig cryptominer, Standard XMRig setup from Github, Sliver malware framework installation attempts, Base64 encoded AWS credentials, 95 IP addresses performing exploitation attempts starting December 5th 04:00 UTC, Exploitation activity beginning December 5th 6:00 AM UTC

Affected products:

react-server-dom (19.0.x
19.1.x
19.2.x)
Next.js with App Router (14.3.0-canary.77 and later canary releases
15.x
16.x)
Vite RSC plugin
Parcel RSC plugin
React Router RSC preview
RedwoodSDK
Waku

Related links:

https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive
https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
https://cloud.google.com/blog/products/identity-security/responding-to-cve-2025-55182/
https://app.wiz.io/boards/threat-center/wiz-adv-2025-118
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://vercel.com/changelog/cve-2025-55182
https://www.wiz.io/experiencing-an-incident

Related CVE's:

Related threat actors:

IOC's:

DNS queries to *.oast.live, DNS queries to *.oastify.com, UPX packed XMRig cryptominer, Standard XMRig setup from Github, Sliver malware framework installation attempts, Base64 encoded AWS credentials, 95 IP addresses performing exploitation attempts starting December 5th 04:00 UTC, Exploitation activity beginning December 5th 6:00 AM UTC

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page