Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components

Dec. 21, 2025, 7:05 p.m.

Description

CVE-2025-55182, also known as React2Shell, is a critical pre-authentication remote code execution vulnerability affecting React Server Components and related frameworks. With a CVSS score of 10.0, it allows attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request. Exploitation has been detected since December 5, 2025, primarily in red team assessments but also in real-world attacks delivering coin miners. The vulnerability stems from a failure to validate incoming payloads in React Server Components, enabling attackers to inject malicious structures leading to prototype pollution and remote code execution. Post-exploitation activities include running reverse shells, achieving persistence, evading security defenses, and attempting lateral movement to cloud resources.

External References

https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components
https://otx.alienvault.com/pulse/694080a2ef82d51f2b376868
Tags
vulnerability
remote code execution
vshell
snowlight
CVE-2025-55182
react2shell
2025-12-15
etherrat

Date

  • Created: Dec. 15, 2025, 9:41 p.m.
  • Published: Dec. 15, 2025, 9:41 p.m.
  • Modified: Dec. 21, 2025, 7:05 p.m.

Indicators

  • 69f2789a539fc2867570f3bbb71102373a94c7153239599478af84b9c81f2a03
  • f0d3d5668a4df347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf
  • 0aad73947fb1876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a
  • 7909046e5e0fd60461b721c0ef7cfe5899f76672e4970d629bb51bb904a05398
  • b33d468641a0d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8
  • 59630d8f3b4db5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc8700
  • 717c849a1331b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d2
  • c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c
  • d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d
  • 7e0a0c48ee0f65c72a252335f6dcd435dbd448fc0414b295f635372e1c5a9171
  • c6c7e7dd85c0578dd7cb24b012a665a9d5210cce8ff735635a45605c3af1f6ad
  • 244bf271d2e55cd737980322de37c2c2792154b4cf4e4893e9908c2819026e5f
  • 9dde35ba8e132ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083
  • 9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331
  • 82335954bec84cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0d
  • f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b
  • 661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1
  • d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f
  • 317e10c4068b661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e
  • f0b66629fe8ad71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b
  • 4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d
  • 68de36f14a7c9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df
  • b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8
  • b568582240509227ff7e79b6dc73c933dcc3fae674e9244441066928b1ea0560
  • f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7
  • 876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13
  • 7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5
  • d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a
  • 240afa3a6457f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b
  • 8e07beb854f77e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f
  • 2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457
  • b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f
  • 46.36.37.85
  • 92.246.87.48
  • 194.69.203.32
  • http://194.69.203.32:81/hiddenbink/colonna.arc
  • http://194.69.203.32:81/hiddenbink/react.sh
  • https://overcome-pmc-conferencing-books.trycloudflare.com/p.png
  • http://krebsec.anondns.net:2316/dong
  • http://xpertclient.net:3000/sex.sh
  • http://donaldjtrmp.anondns.net:1488/labubu
  • http://anywherehost.site/xms/kill2.sh
  • https://ghostbin.axel.org/paste/evwgo/raw
  • http://196.251.100.191/no_killer/Exodus.x86
  • http://194.69.203.32:81/hiddenbink/colonna.i686
  • http://superminecraft.net.br:3000/sex.sh
  • http://196.251.100.191/no_killer/Exodus.arm4
  • http://196.251.100.191/no_killer/Exodus.x86_64
  • http://labubu.anondns.net:1488/dong
  • http://anywherehost.site/xms/k1.sh
Download all indicators here!

Attack Patterns

  • SNOWLIGHT
  • ShadowPad - S0596
  • POISONPLUG.SHADOW
  • EtherRAT
  • VShell
  • XMRig

Additional Informations

  • superminecraft.net.br
  • anywherehost.site
  • labubu.anondns.net
  • overcome-pmc-conferencing-books.trycloudflare.com
  • xpertclient.net
  • ghostbin.axel.org
  • vps-zap812595-1.zap-srv.com
  • donaldjtrmp.anondns.net
  • krebsec.anondns.net

Linked vulnerabilities

CVE-2021-26855

None
Published:

CVE-2021-26857

None
Published:

CVE-2021-26858

None
Published:

CVE-2021-27065

None
Published:

CVE-2025-55182

10.0
    Facebook
  • React
    Vercel
Published: December 3, 2025

CVE-2025-66478

None
    *
Published: December 3, 2025