React2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics

Dec. 21, 2025, 6:51 p.m.

Description

The critical Remote Code Execution vulnerability CVE-2025-55182, dubbed 'React2Shell', affects React Server Components (RSC) and extends beyond Next.js. Attackers are exploiting it for cloud-native initial access, credential harvesting, cryptomining, and deploying sophisticated backdoors. The vulnerability stems from improper input deserialization in RSC payloads, allowing arbitrary code execution. Exploitation has been observed across various cloud platforms, targeting containerized workloads. The exploit's mechanics involve crafting a malicious payload with self-referencing gadgets to bypass security checks during deserialization. Other frameworks using RSC, such as Waku and Vite, are also vulnerable. Urgent patching and comprehensive detection measures are crucial for affected systems.

External References

https://otx.alienvault.com/pulse/6938577d1df39d03f2dc4345
https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive
Tags
exploit
rce
next.js
deserialization
CVE-2025-55182
react2shell
2025-12-09
react
rsc

Date

  • Created: Dec. 9, 2025, 5:08 p.m.
  • Published: Dec. 9, 2025, 5:08 p.m.
  • Modified: Dec. 21, 2025, 6:51 p.m.

Indicators

  • 6957c6d7f21f698d5ce6734dc00aeddc317d5875c3fd16b8b4a54259e02c46c5
  • 2cd41569e8698403340412936b653200005c59f2ff3d39d203f433adb2687e7f
  • 13675cca4674a8f9a8fabe4f9df4ae0ae9ef11986dd1dcc6a896912c7d527274
  • a754ec3310ebbb61f2efbd52611c7cbc0a06af7ac998d46e176fa19461288460
  • a605a70d031577c83c093803d11ec7c1e29d2ad530f8e95d9a729c3818c7050d
  • 9352e1c12dcef49e916053d5f97fe9913e083eab44c50d1d976bf50ce1e727d9
  • b9df31875df5761c9b7506c5c8323f13ead8e033f9fdc922422b045e17e0d5e2
  • 8.222.213.56
  • 154.89.152.240
  • 104.238.61.32
  • 37.27.217.205
  • 45.32.158.54
  • 212.237.120.249
  • 172.245.79.16
  • 193.34.213.150
  • 5.161.227.224
  • 154.26.190.6
  • 47.84.82.8
  • 216.158.232.43
  • 185.229.32.220
  • http://anywherehost.site/xms/k1.sh?grep
  • http://keep.camdvr.org:8000/d5.sh
  • http://keep.camdvr.org:8000/BREAKABLE_PARABLE10
  • http://inerna1.site/xb/systemd-devd.x86_64
  • http://anywherehost.site/xms/kill2.sh
  • http://inerna1.site/xb/runner.zip
  • http://superminecraft.net.br:3000/sex.sh
  • http://anywherehost.site/xms/t1.ps1
  • http://ax29g9q123.anondns.net
  • http://ip.inovanet.pt/systemprofile.zip
  • http://anywherehost.site/xms/su
  • http://inerna1.site/xms/t1.ps1
  • http://keep.camdvr.org:8000/BREAKABLE_PARABLE5
  • http://anywherehost.site/xb/systemd-devd.$
  • http://anywherehost.site/xb/runner.zip
  • http://193.34.213.150/nuts/x86
  • http://193.34.213.150/nuts/bolts
  • http://inerna1.site/xms/k1.sh
Download all indicators here!

Attack Patterns

  • Sliver
  • XMRig

Additional Informations

  • anywherehost.site
  • aws.orgserv.dnsnet.cloud.anondns.net
  • keep.camdvr.org
  • tr.earn.top
  • t.cnzzs.co
  • ax29g9q123.anondns.net
  • ip.inovanet.pt

Linked vulnerabilities

CVE-2021-4034

None
Published:

CVE-2025-55182

10.0
    Facebook
  • React
    Vercel
Published: December 3, 2025