Login Start Free Trial Login Start Free Trial
 

HawkScan Test Info for React2Shell Remote Code Execution (CVE-2025-55182)

HawkScan Test Info for React2Shell Remote Code Execution (CVE-2025-55182)

React2Shell Remote Code Execution (CVE-2025-55182)

Reference

Plugin Id: 40058 | CWE: 502

Remediation

To remediate CVE-2025-55182 (React2Shell), take the following immediate actions:

  1. Upgrade to patched versions:
    • Next.js: 15.1.3, 15.0.4, 14.2.24, 13.5.9, or later
    • React: 19.0.1 or later
    • React-DOM: 19.0.1 or later
  2. If immediate patching is not possible:
    • Implement WAF rules to block React Flight payloads containing prototype pollution patterns
    • Disable React Server Components/Server Actions temporarily
    • Add input validation for the Next-Action header
  3. Monitor for exploitation:
    • Check logs for POST requests with Next-Action headers
    • Look for multipart form-data with suspicious JSON payloads
    • Monitor for unusual process spawning or network connections

About

CVE-2025-55182, known as “React2Shell,” is a critical remote code execution vulnerability in Next.js and React Server Components. The vulnerability arises from unsafe deserialization in the React Flight protocol, where insufficient validation allows attackers to perform prototype pollution attacks. This can lead to arbitrary code execution on the server through specially crafted HTTP POST requests.

The vulnerability was publicly disclosed on December 3, 2025, and is actively being exploited in the wild by multiple threat actors. It affects Next.js applications using the App Router feature and React Server Components, with default configurations being vulnerable.

Attackers can exploit this vulnerability by sending a single malicious HTTP POST request with a Next-Action header and crafted React Flight payload, achieving unauthenticated remote code execution with no user interaction required.

Risks

Exploiting CVE-2025-55182 can result in:

  1. Complete system compromise: Attackers gain ability to execute arbitrary commands on the server with the privileges of the web application process

  2. Data breach: Access to sensitive application data, databases, environment variables, and file system

  3. Lateral movement: Use of compromised server as pivot point for attacks on internal network resources

  4. Malware deployment: Installation of backdoors, cryptominers, or other malicious software (observed in emerald and nuts malware campaigns)

  5. Supply chain attacks: Potential compromise of build pipelines and deployment infrastructure

This is a CVSS 10.0 critical vulnerability actively exploited by APT groups including Earth Lamia and Jackpot Panda.