Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsAPILifetime Access
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components

0
Medium
MalwareCVE-2021-26855vulnerabilitycve-2025-55182remote code executionetherratvshellreact2shellsnowlightshadowpad - s0596poisonplug.shadowxmrigt1033t1539t1069t1082t1053t1562t1190t1552t1055t1218t1021t1580t1505.003t1016t1087t1059t1078t1027t1105
Published: Mon Dec 15 2025 (12/15/2025, 21:41:54 UTC)
Source: AlienVault OTX General

Description

CVE-2025-55182, also known as React2Shell, is a critical pre-authentication remote code execution vulnerability affecting React Server Components and related frameworks. With a CVSS score of 10.0, it allows attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request. Exploitation has been detected since December 5, 2025, primarily in red team assessments but also in real-world attacks delivering coin miners. The vulnerability stems from a failure to validate incoming payloads in React Server Components, enabling attackers to inject malicious structures leading to prototype pollution and remote code execution. Post-exploitation activities include running reverse shells, achieving persistence, evading security defenses, and attempting lateral movement to cloud resources.

AI-Powered Analysis

AILast updated: 12/16/2025, 09:24:27 UTC

Technical Analysis

CVE-2025-55182, dubbed React2Shell, is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components and related frameworks. The root cause is a failure to properly validate incoming payloads, allowing attackers to inject malicious data structures that result in prototype pollution. This prototype pollution enables attackers to manipulate the server-side JavaScript environment, ultimately leading to arbitrary code execution on the vulnerable server. The attack vector is a single crafted HTTP request, requiring no authentication or user interaction, making exploitation straightforward and scalable. Since December 5, 2025, exploitation has been observed primarily in controlled red team assessments but also in real-world attacks deploying cryptocurrency miners such as XMRig. Post-exploitation activities include establishing reverse shells, persistence mechanisms, evading security controls, and lateral movement targeting cloud infrastructure. The vulnerability has a CVSS score of 10.0, indicating maximum severity, though the provided data lists severity as medium, likely an inconsistency. No specific affected versions or patches are currently documented, complicating immediate remediation. The vulnerability's exploitation leverages numerous tactics and techniques (e.g., T1059 command execution, T1078 valid accounts, T1562 defense evasion) as indicated by the associated MITRE ATT&CK tags. This vulnerability poses a significant threat to any organization deploying React Server Components, especially those exposing these components to the internet.

Potential Impact

For European organizations, the React2Shell vulnerability represents a severe risk to confidentiality, integrity, and availability of web servers and associated cloud resources. Successful exploitation can lead to full server compromise, enabling attackers to execute arbitrary code, deploy malware such as coin miners, and establish persistent footholds. This can result in data breaches, service disruptions, financial losses due to resource abuse, and reputational damage. Organizations relying heavily on React Server Components for their web applications, particularly in sectors like finance, healthcare, and government, face heightened risks. The ability to move laterally into cloud environments exacerbates the threat, potentially compromising sensitive data and critical infrastructure. Given the ease of exploitation without authentication, the attack surface is broad, increasing the likelihood of widespread impact across European enterprises. Additionally, the use of this vulnerability in real-world attacks indicates active exploitation, underscoring the urgency for European defenders to prioritize mitigation.

Mitigation Recommendations

1. Implement strict input validation and sanitization on all React Server Component endpoints to prevent malicious payloads from triggering prototype pollution. 2. Apply network segmentation to isolate React Server Component services from critical backend systems and cloud resources, limiting lateral movement opportunities. 3. Deploy runtime application self-protection (RASP) and web application firewalls (WAF) with updated rules to detect and block suspicious payloads targeting this vulnerability. 4. Monitor network and host logs for indicators of compromise such as unusual HTTP requests, reverse shell activity, and presence of coin miner processes like XMRig. 5. Enforce the principle of least privilege on service accounts and cloud credentials to minimize impact if compromise occurs. 6. Regularly update and patch React Server Components and related frameworks as vendors release fixes. 7. Conduct threat hunting exercises focusing on TTPs associated with this vulnerability (e.g., prototype pollution, remote code execution, defense evasion). 8. Educate development and security teams about secure coding practices to avoid similar vulnerabilities in future React components. 9. Establish incident response plans tailored to web server compromises involving RCE and lateral movement to cloud environments. 10. Collaborate with cloud providers to monitor and restrict suspicious activities within cloud infrastructure.

Affected Countries

GermanyGermany
FranceFrance
United KingdomUnited Kingdom
NetherlandsNetherlands
SwedenSweden
FinlandFinland
DenmarkDenmark
IrelandIreland
Need more detailed analysis?Upgrade to Pro Console

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components"]
Adversary
null
Pulse Id
694080a2ef82d51f2b376868
Threat Score
null

Indicators of Compromise

Cve

ValueDescriptionCopy
cveCVE-2021-26855
cveCVE-2021-26857
cveCVE-2021-26858
cveCVE-2021-27065
cveCVE-2025-55182
cveCVE-2025-66478

Hash

ValueDescriptionCopy
hash08ceabdf598ab32c64d6d116321acffe
hash1ec6e297b91ea0df9beaba68c244aa9e
hash215e2a506768efe006e5d0871d3d3e1d
hash23decc99dfefb103db790227247563bd
hash55d5c30e245c8c5125b58a3874b0ad8e
hash5dc9adec552665516b8e3ad478d5b162
hash622f904bb82c8118da2966a957526a2b
hash7eff269600d58f72b4e823c054c7a4fa
hash83f9a3b82b523a6ac7ff563cda668784
hashbe57570e68bc503887a5d8c16aeae6e7
hashbef192d23b72aaf9698967dacaf35c07
hashcd70aae059394a6990b81ec42a9d0079
hashce084a61846a9b4618bfd4ceed2e1361
hashec20124398e61ed22cad1b3409134a9d
hash0038b79f25d8be268857f16e681cc4c064012c4d
hash09e42ebca5a59b128246a08827c040220ae1c2cb
hash25ff6b77ff24d2267ceced55b707f6b3b2cb1c95
hash37a5358f85584d5c773e8a2ee1552219f1a2670d
hash4de90454b2c8ed4058d04d4e6991744f713809ac
hash73bad19d9691d4be546d30d0312ef2a2ddb908c8
hash7b88cb40b60323984a5e8fb976c2a443cc26b244
hash86c82af9ff33fb2aa29a1d02aac55fdf583375bb
hash94992eaa2a98b040200f4fb899e03c26e6a355dd
hashc17653c46416952dd6609768f5b9ed4623d0da81
hashd9de239e81e85cc0ccd4c2d53c94f509d673d6b0
hashe60cb26e0c779f4a343a239b44178d6e78a2176d
hashe89e25205875ef412698cf083c0e2b3cafead1e5
hasheb596630399a04f7c7cddd044112fb9d31faecae
hash0aad73947fb1876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a
hash240afa3a6457f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b
hash244bf271d2e55cd737980322de37c2c2792154b4cf4e4893e9908c2819026e5f
hash2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457
hash317e10c4068b661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e
hash4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d
hash59630d8f3b4db5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc8700
hash661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1
hash68de36f14a7c9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df
hash69f2789a539fc2867570f3bbb71102373a94c7153239599478af84b9c81f2a03
hash717c849a1331b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d2
hash7909046e5e0fd60461b721c0ef7cfe5899f76672e4970d629bb51bb904a05398
hash7e0a0c48ee0f65c72a252335f6dcd435dbd448fc0414b295f635372e1c5a9171
hash7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5
hash82335954bec84cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0d
hash876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13
hash8e07beb854f77e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f
hash9dde35ba8e132ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083
hash9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331
hashb33d468641a0d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8
hashb568582240509227ff7e79b6dc73c933dcc3fae674e9244441066928b1ea0560
hashb5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8
hashb63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f
hashc2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c
hashc6c7e7dd85c0578dd7cb24b012a665a9d5210cce8ff735635a45605c3af1f6ad
hashd3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a
hashd60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f
hashd71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d
hashf0b66629fe8ad71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b
hashf0d3d5668a4df347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf
hashf1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7
hashf347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b

Ip

ValueDescriptionCopy
ip194.69.203.32
ip46.36.37.85
ip92.246.87.48

Url

ValueDescriptionCopy
urlhttp://194.69.203.32:81/hiddenbink/colonna.arc
urlhttp://194.69.203.32:81/hiddenbink/colonna.i686
urlhttp://194.69.203.32:81/hiddenbink/react.sh
urlhttp://196.251.100.191/no_killer/Exodus.arm4
urlhttp://196.251.100.191/no_killer/Exodus.x86
urlhttp://196.251.100.191/no_killer/Exodus.x86_64
urlhttp://anywherehost.site/xms/k1.sh
urlhttp://anywherehost.site/xms/kill2.sh
urlhttp://donaldjtrmp.anondns.net:1488/labubu
urlhttp://krebsec.anondns.net:2316/dong
urlhttp://labubu.anondns.net:1488/dong
urlhttp://superminecraft.net.br:3000/sex.sh
urlhttp://xpertclient.net:3000/sex.sh
urlhttps://ghostbin.axel.org/paste/evwgo/raw
urlhttps://overcome-pmc-conferencing-books.trycloudflare.com/p.png

Domain

ValueDescriptionCopy
domainanywherehost.site
domainsuperminecraft.net.br
domainxpertclient.net
domaindonaldjtrmp.anondns.net
domainghostbin.axel.org
domainkrebsec.anondns.net
domainlabubu.anondns.net
domainovercome-pmc-conferencing-books.trycloudflare.com
domainvps-zap812595-1.zap-srv.com

Threat ID: 694121d1594e45819d7c8716

Added to database: 12/16/2025, 9:09:37 AM

Last enriched: 12/16/2025, 9:24:27 AM

Last updated: 2/7/2026, 7:53:38 AM

Views: 132

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

ThreatFox IOCs for 2026-02-06

Medium
MalwareSat Feb 07 2026

ThreatFox IOCs for 2026-02-05

Medium
MalwareFri Feb 06 2026

Technical Analysis of Marco Stealer

Medium
MalwareThu Feb 05 2026

New Clickfix variant 'CrashFix' deploying Python Remote Access Trojan

Medium
MalwareThu Feb 05 2026

Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework

Medium
MalwareThu Feb 05 2026

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats