Microsoft has released comprehensive mitigations for a critical vulnerability dubbed React2Shell (CVE-2025-55182), which poses severe risks to React Server Components and Next.js environments.
With a maximum CVSS score of 10.0, this pre-authentication remote code execution flaw allows threat actors to compromise servers through a single malicious HTTP request.
Exploitation attempts were first detected on December 5, 2025, targeting both Windows and Linux systems with alarming success rates.
The vulnerability stems from how the React Server Components ecosystem processes data using the Flight protocol.
When a client requests data, the server parses the incoming payload to execute server-side logic. However, failing to validate these inputs properly allows attackers to inject malicious structures that the server accepts as valid.
This oversight leads to prototype pollution, ultimately allowing the attacker to execute arbitrary code on the underlying server.
Microsoft analysts identified the malware campaigns exploiting this flaw shortly after its emergence. They observed that the attacks typically begin with a crafted POST request sent to a vulnerable web application.
Once the backend deserializes this input, the malicious code executes in the Node.js runtime, bypassing standard security checks.
This default trust configuration makes the vulnerability particularly dangerous, as it requires no special setup or user interaction to exploit, leaving many enterprise environments exposed.
Infection Mechanism and Persistence
Once initial access is gained, threat actors swiftly move to establish persistence and expand their control over the compromised network.
The attack chain often involves deploying reverse shells that connect back to attacker-controlled Cobalt Strike servers, allowing for sustained remote access.
.webp "Microsoft Details Mitigations Against React2Shell RCE Vulnerability in React Server Components 3")
The attack diagram depicting activity leading to action on objectives illustrates the typical flow of these intrusions.
Attackers frequently use remote monitoring and management tools such as MeshAgent or modify system files, such as authorized_keys, to maintain access even after reboots.
To evade detection, they may employ bind mounts to conceal malicious processes from system monitoring tools.
Further analysis reveals a diverse array of payloads delivered, including remote access trojans such as VShell and EtherRAT, as well as XMRig cryptominers.
.webp "Microsoft Details Mitigations Against React2Shell RCE Vulnerability in React Server Components 4")
This example of reverse shell observed in one of the campaigns highlights the command structures used during these intrusions.
Beyond immediate control, attackers actively enumerate system details and environment variables to steal cloud identity tokens for Azure, AWS, and Google Cloud Platform.
This credential theft facilitates lateral movement across cloud resources, significantly amplifying the breach’s impact on organizations that rely on these integrated services.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
