Vulnerability Overview
React2Shell (CVE-2025-55182) is a critical (CVSS 10.0) pre-authentication Remote Code Execution (RCE) vulnerability affecting the react-server package used by React Server Components (RSC), specifically React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, which allows unauthenticated adversaries to execute arbitrary JavaScript on the server.
React Server Components (RSC) refers to an architectural model and set of Application Programming Interfaces (APIs) introduced in React 19. These components execute and render ahead of time on the server, before bundling, in an environment separate from client-side React or traditional Server-Side Rendering (SSR).
This architecture is enabled through React’s Flight protocol, which generates a serialized representation of the React component tree into a format that is streamed to the client, enabling progressive rendering while significantly reducing the amount of client-side JavaScript, resulting in improved performance and efficiency.
The vulnerability fundamentally resides in the react-server package’s handling of React Flight payloads. React Flight enables the streaming of complex, inter-referenced data structures. To reconstruct these structures, the server deserializes client-supplied payloads into executable JavaScript objects.
The vulnerability emerges during this deserialization process, where insufficient validation allows attacker-controlled data to influence server-side execution, ultimately enabling arbitrary code execution before any authentication occurs.
Although initial reporting focused on Next.js, particularly due to its popularity and the default exposure of Server Function endpoints, this vulnerability is not framework-specific. It is an upstream flaw in React itself, with implications extending to any platform or framework implementing React Server Components.
CVE-2025-55182 tracks the vulnerability in React’s upstream implementation, CVE-2025-66478 tracks was initially assigned to capture the downstream impact on Next.js applications. The latter has since been rejected as a duplicate, consolidating the issue under the React CVE and reinforcing its broader ecosystem-wide impact.
Vulnerability Exploitation
At a high level, exploitation occurs when the server processes a specially crafted React Flight payload delivered to a Server Function endpoint. This payload is designed to abuse how React Server Components reconstruct client-supplied data on the server.
In a typical RSC workflow, a user interaction, such as submitting a form, causes the browser to package the request data into numbered “chunks”. These chunks reference one another and encode data types using special $X prefixes. Upon receipt, the server reassembles these chunks and deserializes them to determine which server-side action should be executed.
The critical failure occurs during this deserialization phase. When resolving references inside the reconstructed payload, React fails to properly validate object ownership. The server assumes that certain properties belong directly to an object and attempts to verify this assumption using a method call. However, that method invocation is performed on attacker-controlled input, allowing malicious data to influence server-side execution logic before any authentication takes place. As a result, an attacker can trigger arbitrary JavaScript execution on the server.
The vulnerable code path resides in the reviveModel function within ReactFlightReplyServer.js. When resolving chunk references, the implementation performs a check equivalent to invoking value.hasOwnProperty(i) to determine whether a property belongs to the object being processed.
This approach is inherently unsafe. In JavaScript, all objects inherit from Object.prototype, which includes methods such as hasOwnProperty, constructor, and toString. If an attacker controls the object being deserialized, they can shadow or replace hasOwnProperty with a malicious value. Because the ownership check is invoked directly on the untrusted object, the validation can be bypassed entirely. This enables access to prototype chain properties, including constructor and __proto__, ultimately leading to arbitrary code execution.
AttackIQ has released a new assessment template that compiles the Tactics, Techniques, and Procedures (TTPs) associated with the exploitation of the CVE-2025-55182 (React2Shell) vulnerability, which affects React Server Components (RSC), to help customers validate their security controls and their ability to defend against this critical threat.
Validating security program performance against these behaviors is vital in reducing risk. By employing assessment template within the AttackIQ Adversarial Exposure Validation (AEV), security teams will be able to:
- Evaluate security control performance against the Tactics, Techniques and Procedures (TTPs) associated with the exploitation of this critical React vulnerability.
- Assess overall security posture against a recent and actively exploited vulnerability targeting React Server Components (RSC)
- Continuously validate detection and prevention pipelines against a worldwide range of adversaries leveraging this critical vulnerability.
React2Shell (CVE-2025-55182): Critical Remote Code Execution (RCE) in React Server Components
This emulation compiles the Tactics, Techniques, and Procedures (TTPs) associated with the exploitation of the CVE-2025-55182 vulnerability affecting React Server Components.
It is based on reports published by Wiz on December 3, 2025, and December 8, 2025, Huntress on December 9, 2025, Trend Micro on December 10, 2025, and Google on December 12, 2025.
1. Web Application Firewall (WAF):
Consists of a scenario designed to imitate the communication associated with the exploitation of the React2Shell vulnerability:
WAF Test (React2Shell Vulnerability (CVE-2025-55182)): Exploit via POST request (T1190): This scenario simulates the CVE-2025-55182 exploit by sending a HTTP POST request containing a malicious multipart/form-data payload to React Server Component endpoints.
2. Malware Samples
Consists of malware samples associated with the post-exploitation activities following the exploitation of the React2Shell (CVE-2025-55182) vulnerability:
2025-12 Sliver Dropper (React2Shell) Sample (T1105): The Sliver Dropper sample (SHA-256: d033d0e44b4f4be7ca3b8d063ea95699d1c894896ef912bf52c2296bc73f8838) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-12 Sliver Backdoor (React2Shell) Sample (T1105): The Sliver Backdoor sample (SHA-256: 8fee14142577734282aa1f53ea2e5cddaf4a588de40e7b179b13855330077b96) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-12 Stealer (React2Shell) Sample (T1105): The Stealer sample (SHA-256: 7c2d9c6ae9c811c62e67a6279fec0b68047a031eae674d3d5f9279a4ec7e8a25) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-11 XMRig Dropper (React2Shell) Sample (T1105): The XMRig Dropper sample (SHA-256: a26c70f34d35f78f0b95bf402d513f69e196720576d9115dba0efdb4c57deb81) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-06 XMRig Cryptominer (React2Shell) Sample (T1105): The XMRig Cryptominer sample (SHA-256: 6957c6d7f21f698d5ce6734dc00aeddc317d5875c3fd16b8b4a54259e02c46c5) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-12 PeerBlight Backdoor (React2Shell) Sample (T1105): The PeerBlight Backdoor sample (SHA-256: a605a70d031577c83c093803d11ec7c1e29d2ad530f8e95d9a729c3818c7050d) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-12 CowTunnel NTPClient (React2Shell) Sample (T1105): The CowTunnel NTPClient sample (SHA-256: 776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-12 ZinFoq (React2Shell) Sample (T1105): The ZinFoq sample (SHA-256: 0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-12 Cobalt Strike Beacon (React2Shell) Sample (T1105): The Cobalt Strike Beacon sample (SHA-256: 4a74676bd00250d9b905b95c75c067369e3911cdf3141f947de517f58fc9f85c) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-11 Mirai Botnet (React2Shell) Sample (T1105): The Mirai Botnet sample (SHA-256: 858874057e3df990ccd7958a38936545938630410bde0c0c4b116f92733b1ddb) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-09 SNOWLIGHT Downloader (React2Shell) Sample (T1105): The SNOWLIGHT Downloader sample (SHA-256: 55ae00bc8482afd085fd128965b108cca4adb5a3a8a0ee2957d76f33edd5a864) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2020-08 KINSING (React2Shell) Sample (T1105): The KINSING sample (SHA-256: c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-12 MINOCAT (React2Shell) Sample (T1105): The MINOCAT sample (SHA-256: 776850a1e6d6915e9bf35aa83554616129acd94e3a3f6673bd6ddaec530f4273) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-12 SNOWLIGHT (React2Shell) Sample (T1105): The SNOWLIGHT sample (SHA-256: 7f05bad031d22c2bb4352bf0b6b9ee2ca064a4c0e11a317e6fedc694de37737a) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-12 ANGRYREBEL.LINUX (React2Shell) Sample (T1105): The ANGRYREBEL.LINUX sample (SHA-256: 0bc65a55a84d1b2e2a320d2b011186a14f9074d6d28ff9120cb24fcc03c3f696) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
2025-12 HISONIC (React2Shell) Sample (T1105): The HISONIC sample (SHA-256: df3f20a961d29eed46636783b71589c183675510737c984a11f78932b177b540) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
3. Associated Behaviors
Consists of the techniques associated with the post-exploitation activities following the exploitation of the React2Shell (CVE-2025-55182) vulnerability:
Get Windows Version via “ver” Command (T1082): This scenario executes the ver command to discover to retrieve information regarding the operating system version.
Obtain Username using “whoami” Command (T1033): This scenario executes the whoami command to retrieve the username of the running user account.
Obtain Hostname using “hostname” Command (T1082): This scenario executes the hostname command to retrieve information regarding the operating system’s hostname.
Account Discovery using /etc/passwd (T1087): This scenario executes the cat /etc/passwd command to enumerate available accounts on a compromised system.
Cron Job Persistence and Execution (T1053.003): This scenario employs the cron utility to schedule commands for initial or recurring execution.
Wrap-up
In summary, these scenarios will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by adversaries actively exploiting React2Shell. With data generated from continuous testing and use of these scenarios, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against known and dangerous threats.
AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its actual risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free, award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.
