React2Shell: Chinese APTs Exploit Critical React Server Components RCE

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on December 5, mandating that federal agencies patch by December 12. However, for private sector organizations, the window to patch before compromise has likely already closed.

Understanding the Vulnerability

This vulnerability is a classic case of unsafe deserialization, but it manifests in a modern, complex architectural layer: the "React Flight" wire protocol.

The Mechanism

React Server Components introduce a blurring of the line between client and server. To make this work, React uses an implicit Remote Procedure Call (RPC) system. When a client interacts with a Server Component, it sends a serialized payload to the server. The server must deserialize this payload to understand which function to run and with what arguments.

The flaw lies in the react-server-dom-* packages (webpack, turbopack, and parcel). The server-side deserializer takes metadata supplied by the user—specifically module and export names—and uses them to look up functions to execute.

Crucially, the vulnerable code performed this lookup without verifying that the requested property belonged to the module itself. It lacked a hasOwnProperty check.

Technical discussions surfacing on Hacker News and security mailing lists describe the root cause code flow roughly as follows:

Because metadata.name is not validated, an attacker can request properties that exist on the JavaScript Object prototype, such as constructor or __proto__.

The Attack Chain

1. Reconnaissance: The attacker identifies a Server Function endpoint. In Next.js applications using the App Router, this is often a route handling next-action headers or requests to /_next/static/chunks/react-flight.
2. Payload Construction: The attacker crafts an HTTP POST request. The body contains a serialized React Flight payload. Instead of a valid function ID, the attacker injects a prototype traversal gadget.
3. Execution: The server receives the payload. The deserializer resolves moduleExports['constructor'], which returns the global Function constructor. The attacker can then pass a string of JavaScript code (e.g., require('child_process').exec('...')) to this constructor.
4. Compromise: The code executes with the privileges of the Node.js process running the web server. This allows for reading environment variables (secrets), accessing the file system (/etc/passwd), or installing persistent backdoors.

This vulnerability is particularly dangerous because it bypasses application-level authentication. The exploit occurs during the request processing pipeline, before the application's own business logic or auth checks typically run.

Who Is Affected

The impact is massive because the vulnerability exists in the underlying libraries used by major meta-frameworks. If you are using Next.js App Router (introduced in version 13), you are almost certainly vulnerable by default.

Affected Products and Versions

Note: Even if your application does not explicitly use "Server Actions" or the "use server" directive, the mere presence of the RSC build artifacts in node_modules and the default routing configuration in frameworks like Next.js exposes the vulnerable endpoints.

Real-World Risk

The exploitation of CVE-2025-55182 is not theoretical; it is active, widespread, and dangerous.

Threat Actor Profiles:

• Earth Lamia & Jackpot Panda: These China-nexus groups are known for cyber espionage. Their rapid adoption of this exploit suggests an intent to establish long-term persistence in corporate networks and steal intellectual property or PII.
• Ransomware Cartels: CISA reports indicate that ransomware precursors are being deployed. Because the vulnerability provides full shell access (react2shell), attackers can easily encrypt server files or exfiltrate databases.

Indicators of Compromise (IoCs): Defenders analyzing their logs should look for the following activity dating back to November 29, 2025:

• Network: HTTP POST requests containing headers next-action or rsc-action-id.
• Payloads: Request bodies containing the string $@ or the JSON snippet "status":"resolved_model".
• Process Execution: Node.js processes spawning unexpected child processes like whoami, id, uname, or cat /etc/passwd.
• File System: Creation of files in /tmp, specifically /tmp/pwned.txt or suspicious shell scripts.

What You Should Do

If you run React Server Components or Next.js, assume you are a target.

1. Patch Immediately

This is the only effective long-term fix.

• Next.js Users: Run npm install next@latest (or the specific patch version for your major line from the table above). Verify the version in your package.json matches the fixed versions.
• React Users: Ensure all react-server-dom-* packages are updated to the x.x.1 or x.x.2 patch releases (e.g., 19.0.1).

2. Emergency Mitigation (WAF)

If you cannot patch immediately, you must block the attack vector at the network edge.

• AWS WAF: Deploy the AWSManagedRulesKnownBadInputsRuleSet version 1.24 or higher. AWS has updated this rule set to block the specific serialization patterns used in the exploit.
• Custom Rules: Configure your WAF to block HTTP POST requests that contain next-action headers AND suspicious body content (like $@ or prototype keywords), though this carries a risk of false positives.

3. Incident Response

Because exploitation began immediately upon disclosure:

• Rotate Secrets: Assume environment variables (API keys, database credentials) exposed to the Node.js process have been compromised. Rotate them immediately after patching.
• Audit Logs: Search for the IoCs listed above. If you find evidence of whoami or /etc/passwd access, initiate your full incident response plan.

The Bigger Picture

CVE-2025-55182 highlights a growing risk in modern web development: the "magic" abstraction of the network boundary. Frameworks like React Server Components aim to make the server and client feel like a single cohesive codebase. However, this abstraction requires an implicit transport layer that, if flawed, exposes the server's internals directly to the public internet.

Just as we saw with Log4Shell in the Java ecosystem, widespread dependencies that handle data deserialization remain a prime target for attackers. In this case, the vulnerability was not in the application code written by developers, but in the glue that holds the modern web together.

Vercel