Microsoft has released comprehensive guidance on CVE-2025-55182, a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components and the Next.js framework.
Assigned a maximum CVSS score of 10.0, this vulnerability enables attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request, representing an unprecedented risk to modern React-based web applications.
CVE-2025-55182, also identified as React2Shell and merged with CVE-2025-66478, targets the Flight protocol used by React Server Components to communicate between client and server.
The vulnerability stems from inadequate payload validation in affected React Server Components versions, allowing attackers to inject malicious structures that trigger prototype pollution and subsequent remote code execution.
Microsoft Defender researchers detected active exploitation beginning December 5, 2025, with both red team assessments and real-world threat actors leveraging the vulnerability.
Attackers have successfully compromised hundreds of machines across diverse organizations, with most post-exploitation payloads delivering cryptocurrency miners to both Windows and Linux environments.
The vulnerability proves particularly dangerous due to its default exploitability no special configuration or developer error is required combined with publicly available proof-of-concept exploits demonstrating near-100% reliability.
Post-Exploitation Tactics
Microsoft Defender telemetry indicates that attackers exploit the vulnerability by sending crafted POST requests containing malicious serialized objects to applications running React Server Components.
Upon deserialization by the backend server, the attacker-provided input executes under the NodeJS runtime due to default component trust mechanisms.
Post-exploitation activity includes establishing reverse shell connections to Cobalt Strike servers and deploying diverse malware payloads including VShell and EtherRAT remote access trojans, the SNOWLIGHT memory-based malware downloader, ShadowPAD, and XMRig cryptominers.
Attackers employ sophisticated evasion techniques, downloading payloads from attacker-controlled CloudFlare Tunnel endpoints and utilizing bind mounts to hide malicious processes from system monitoring tools.
Credential theft operations target Azure Instance Metadata Service (IMDS) endpoints for Azure, AWS, Google Cloud Platform (GCP), and Tencent Cloud to acquire identity tokens enabling lateral movement.
Organizations have observed attempted harvesting of AI and cloud-native credentials, including OpenAI API keys, Databricks tokens, and Kubernetes service-account credentials.
Mitigations
Microsoft recommends immediate action across multiple fronts. Organizations should first identify affected packages react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack, and next within their node_modules directories and validate versions against documented affected ranges.
React versions 19.0.0 through 19.2.0 and Next.js versions 14.3.0-canary.77 through 16.0.6 are susceptible and require remediation.
Prioritizing internet-facing services for immediate patching is critical. Affected organizations should upgrade to patched versions including React 19.0.1, 19.1.2, or 19.2.1, and Next.js 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7.
Microsoft Defender Vulnerability Management (MDVM) helps surface vulnerable package inventory and track remediation progress across organizational infrastructure.
Microsoft Defender for Cloud customers can use security explorer templates to locate exposed containers running vulnerable container images and vulnerable virtual machines.
As a compensating control during patching windows, Azure Web Application Firewall (WAF) custom rules can block exploit patterns.
Microsoft has published detailed rule guidance and JSON examples in the Azure Network Security Blog with ongoing updates as new attack variations emerge.
Organizations should enable Microsoft Defender alerts for React Server Components exploitation attempts and correlate endpoint, container, and cloud signals for confident threat triage.
Microsoft Defender XDR customers benefit from expanded detection frameworks identifying CVE-2025-55182 activity across all operating systems, integrated with automatic attack disruption capabilities.
Microsoft Defender for Cloud provides agentless scanning support for vulnerable containers and cloud virtual machines.
Security teams can leverage Microsoft Security Exposure Management’s automated attack path analysis to identify exposed resources and map potential compromise routes within their environments across Azure, AWS, and GCP platforms.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.