Back to threat alerts

React2Shell (CVE-2025-55182): Technical Analysis & Threat Attribution

CVE-2025-55182 is a critical, unauthenticated RCE in React Server Components affecting React 19.x and Next.js. This unsafe deserialisation flaw is actively exploited by a bifurcated landscape: PRC-linked groups targeting espionage and persistence, alongside cybercriminals deploying ransomware. Post-exploitation tradecraft has escalated rapidly, now featuring novel Linux backdoors like "PeerBlight," WAF evasion, and direct attacks on cloud control planes.

Threat alert
December 12, 2025

The critical failure resides within the reviveModel function of ReactFlightReplyServer.js, which is responsible for reconstructing complex JavaScript objects from Flight payloads (often during Server Actions). The logic failed to strictly validate object keys using secure methods like Object.prototype.hasOwnProperty. This oversight allowed attackers to "shadow" inherited properties by mimicking prototype elements such as then or constructor, enabling the execution of malicious code during the deserialisation process.

The "Thenable" Gadget Chain

Exploitation follows a specific four-stage sequence:

  1. Self-Reference: The payload establishes a circular dependency (e.g., a chunk referencing itself) to prepare the parser's memory structure. This is the first indicators of a malicious payload in WAF logs.
  2. Hijacking 'then': The attacker injects an object with a then property. Due to the validation failure, the runtime treats this object as a valid Promise (a "thenable").
  3. The Trigger: A specific flag, "status":"resolved_model", prompts the React parser to process the malicious object immediately.
  4. Execution: Upon attempting to resolve this fake Promise, the runtime invokes a malicious constructor (typically pointing to child_process), compiling and executing the embedded system commands.

Crucially, this execution occurs pre-authentication. As the server must deserialise the request to understand the intent before applying authorisation logic, the malicious code executes before any session validation can occur. Consequently, even applications protected by login screens remain vulnerable if the Flight endpoint is accessible.

Exploitation Timeline: From Disclosure to Mass Weaponisation

The trajectory of CVE-2025-55182 illustrates the rapidly shrinking window between vulnerability disclosure and widespread exploitation. The vulnerability was privately disclosed to Meta on 29 November 2025, leading to the public release of patches for React and Next.js on 3 December 2025. Crucially, active exploitation attempts targeting AWS honeypots were observed mere hours after the patch release. Attribution linked this initial activity to sophisticated China-nexus groups, suggesting either pre-disclosure knowledge or an immediate, highly skilled reverse-engineering of the patch.

By 4 December, the threat landscape democratised rapidly as functional Proof-of-Concept (PoC) exploits were published, moving from non-functional noise to viable remote code execution capabilities. This triggered a phase of mass scanning and escalation, where manual probing shifted to automated botnet activity. In the days following, distinct campaigns emerged, ranging from opportunistic cryptomining (XMRig) and credential harvesting to the deployment of persistent backdoors such as PeerBlight and Sliver.

Threat Actor Attribution and Campaign Analysis

The threat landscape for React2Shell is diverse, split between sophisticated state-sponsored espionage and high-volume opportunistic cybercrime.

State-Nexus Activity (PRC):

  • Earth Lamia (APT41 Nexus): Identified to be leveraging the vulnerability to establish stealthy footholds for espionage within government, finance, and logistics sectors.
  • Jackpot Panda: Focused on East Asia, utilising "Operational Relay Box" (ORB) networks of compromised IoT devices to obfuscate the origin of their attacks.

North Korean Operations (DPRK):

  • "Contagious Interview" Campaign: Unit 42 identified activity targeting the defence industrial base and financial systems.
  • Advanced Evasion: Threat actors employed "EtherHiding" (concealing malicious code within blockchain transactions) to deploy payloads such as EtherRAT and KANDYKORN.

Cybercriminal Ecosystem:

  • Botnets (Mirai & Rondo): Responsible for the majority of attack volume, these groups rapidly updated propagation modules to include React2Shell exploits.
  • Tactics: A "spray and pray" approach deploying XMRig cryptominers. While these attacks cause high CPU usage and are easily detected, they often serve as the first indicator of a vulnerability.
Malware Analysis: The Post-Exploitation Ecosystem

The post-exploitation landscape has escalated rapidly. Attackers are moving beyond simple reverse shells to deploy robust, feature-rich backdoors designed for long-term persistence within Linux and cloud environments.

  • PeerBlight (Novel Linux Backdoor):
    • Stealth and Persistence: This malware exhibits high operational security by masquerading as legitimate kernel threads (e.g., ksoftirqd) and hiding within obscure directories. It secures persistence via systemd service creation.
    • Resilient C2 Infrastructure: Unlike traditional malware, PeerBlight utilises a Distributed Hash Table (DHT) protocol to create a resilient peer-to-peer network. It employs a strict, custom mathematical verification check to validate configuration updates, effectively preventing researchers from mapping the botnet.
  • Auto-Color (PAM Backdoor):
    • Authentication Hijacking: Identified by Unit 42, this malware targets the Linux Pluggable Authentication Modules (PAM) system by hooking or replacing the pamssod library.
    • "Magic Password" Access: It establishes a backdoor that allows attackers to log in via SSH as any user (including root) using a specific hardcoded credential. Crucially, this persistence mechanism remains active even after the original React vulnerability is patched.
  • Adversary Emulation Frameworks (Sliver & Cobalt Strike):
    • The deployment of frameworks like Sliver signals the presence of "keyboard-intense" human operators rather than automated bots. Utilising advanced encryption such as Mutual TLS (mTLS) to blend with legitimate traffic, these tools are used to convert the compromised web server into a beachhead for internal network scanning and Active Directory compromise.
Vulnerable versions of React Server Components:
  • react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, 19.2.0)
  • react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, 19.2.0)
  • react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, 19.2.0)

Remediation

Immediate Patching:

  • Upgrade to safe versions of React (19.0.1, 19.1.2, 19.2.1) and Next.js (15.0.4+, 16.0.7+).
  • Crucially, developers must audit lockfiles (package-lock.json) to ensure transitive dependencies are also updated, as top-level updates may be insufficient.

Assume Compromise & Rotate:

  • Any internet-facing server exposed between 3 December and the time of patching must be treated as compromised.
  • Organisations should re-image servers from known good sources (do not attempt to "clean") and immediately rotate all environment variables, database credentials, and cloud access keys.

Cloud Hardening: Enforce "Least Privilege" on IAM roles to limit data access. Critically, AWS environments should enforce IMDSv2 (Instance Metadata Service Version 2), which requires session tokens and effectively neutralises the simple data exfiltration scripts currently used by attackers.