React2Shell: When Your Modern Frontend Framework Becomes a Backdoor

By Nigel Sweetman

December 3rd, 2025 will go down in web development history as the day React went from "the safe framework that prevents XSS" to "wait, attackers can execute arbitrary code on my server?!"

React2Shell (CVE-2025-55182, merged with CVE-2025-66478) is a critical remote code execution vulnerability in React Server Components with a perfect CVSS 10.0 score. Discovered by Lachlan Davidson and disclosed to the React team on November 29, 2025, this vulnerability affects default Next.js configurations, requires no authentication, and has already been exploited in the wild by multiple Chinese state-sponsored APT groups.

Within hours of public disclosure, threat intelligence teams observed active exploitation by Earth Lamia and Jackpot Panda, deploying backdoors including MINOCAT, SNOWLIGHT, HISONIC, COMPOOD, and cryptocurrency miners.

If you're running React 19.0-19.2.0 with Server Components (which includes basically every modern Next.js app), you need to patch. Right now.

The TL;DR (Too Long; Didn't React)

What: Critical RCE in React Server Components via unsafe deserialization CVSS Score: 10.0 (maximum severity) Discoverer: Lachlan Davidson Disclosed: November 29, 2025 (private), December 3, 2025 (public) Affected: React 19.0, 19.1.0, 19.1.1, 19.2.0 + Next.js 15.x/16.x with App Router Attack Vector: Single malicious HTTP POST request to /_flight, no authentication required Exploitation Status: Active in the wild since December 5, 2025 Threat Actors: Earth Lamia, Jackpot Panda (China state-nexus), opportunistic cybercrime groups Malware Deployed: MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, COMPOOD backdoor, XMRIG miners Fix: Upgrade to React 19.0.1, 19.1.2, 19.2.1, or 19.2.2+ immediately CISA KEV: Added to Known Exploited Vulnerabilities catalog

Timeline from "safe" to "oh god": Exploitation began within 2 hours of public disclosure.

What Is React Server Components (And Why It's Vulnerable)

React Server Components (RSC) is React's new architecture that allows components to render on the server, reducing JavaScript bundle sizes and improving performance. It's the foundation of Next.js 13+ App Router.

How it works:

1. Server renders React components
2. Serializes component tree using the "Flight" protocol
3. Sends serialized data to client over HTTP
4. Client deserializes and renders

The problem: The Flight protocol uses insecure deserialization of untrusted data.

Attackers can send a malicious HTTP request with specially crafted payload that, when deserialized by the server, executes arbitrary code.

The Attack: Deserialization Gone Wrong

Vulnerable Code Pattern

// This is in React's internal Flight implementation
// Simplified for illustration

function deserializeFlightPayload(stream) {
  const data = JSON.parse(stream);

  // DANGER: Deserializing untrusted data without validation
  if (data.type === 'component') {
    const Component = eval(data.component);  // ← DANGER ZONE
    return Component(data.props);
  }
}

The vulnerability exists because React deserializes client-provided data without proper sanitization, allowing attackers to inject malicious JavaScript that executes server-side.

Proof of Concept (Educational Only)

POST /_flight HTTP/1.1
Host: vulnerable-nextjs-app.com
Content-Type: text/plain

0:["$","div",null,{"children":["$","$Sreact.element",null,{"type":"script","props":{"dangerouslySetInnerHTML":{"__html":"require('child_process').exec('whoami > /tmp/pwned')"}}}"]}]

What this does:

1. Sends malicious Flight protocol payload
2. React deserializes the payload server-side
3. Executes child_process.exec() on the server
4. Attacker gains remote code execution

Result: Shell access, data exfiltration, ransomware deployment, lateral movement—anything you can imagine.

Expected Attack Timeline

Based on historical patterns from similar CVSS 10.0 vulnerabilities, the typical exploitation lifecycle follows this pattern:

Typical CVE Weaponization Timeline:

T+0 hours    → CVE disclosed publicly
T+2-4 hours  → POC exploit published on GitHub/security forums
T+4-6 hours  → Mass internet scanning begins (Shodan, Censys, threat actors)
T+6-12 hours → First exploitation attempts observed in honeypots
T+12-24 hours → Web shells deployed on vulnerable internet-facing servers
T+1-3 days   → Data exfiltration and lateral movement
T+3-7 days   → Secondary payloads (ransomware, persistence mechanisms)

Potential Impact: Critical RCE vulnerabilities in widely-used frameworks like React historically result in:

• Rapid mass exploitation (hours, not days)
• Initial access broker activity (threat actors selling access to compromised servers)
• Data exfiltration targeting customer databases and intellectual property
• Ransomware deployment as secondary payload
• Estimated financial impact: $500K - $50M+ depending on organization size and breach scope

Attack Vectors:

• Default Next.js applications are vulnerable out of the box
• No authentication required for exploitation
• Automated scanning tools can identify vulnerable instances at scale
• Internet-facing Next.js apps are trivial to enumerate via Shodan/Censys

Who's Affected?

Vulnerable Configurations

Default Next.js App (Created with create-next-app):

npx create-next-app@latest my-app
cd my-app
npm run build
npm start

This configuration is vulnerable by default. No code changes required for exploitation.

Affected Versions

React:

• 19.0.0
• 19.1.0
• 19.1.1
• 19.2.0

Next.js:

• All versions using App Router with React 19.x

Not affected:

• React 18.x and earlier (doesn't have Server Components)
• Next.js Pages Router (if not using RSC)
• Static exports (no server runtime to exploit)

Exposure

As of December 15th, 2025:

• ~240,000 Next.js apps exposed on the internet
• Estimated 65% running vulnerable React versions
• 156,000+ potentially vulnerable applications

Shodan query: http.title:"Next.js" http.component:"React" http.header:"x-powered-by: Next.js"

Exploitation in the Wild

Threat Actors Observed

Earth Lamia (China state-nexus APT):

• Observed by Amazon Threat Intelligence (December 5, 2025)
• TTPs: Rapid exploitation within hours of disclosure
• Malware deployed: MINOCAT tunneler, SNOWLIGHT downloader
• Targeting: SaaS platforms, e-commerce, technology companies
• Post-exploitation: Establish persistence, credential harvesting, lateral movement

Jackpot Panda (China state-nexus APT):

• Observed by AWS Security teams (December 5, 2025)
• TTPs: Mass scanning followed by targeted exploitation
• Malware deployed: HISONIC backdoor, COMPOOD backdoor
• Focus: High-value targets in technology and financial sectors

Opportunistic Cybercrime Groups:

• Observed by Google Threat Intelligence Group (GTIG)
• Activity: Widespread exploitation across multiple clusters
• Malware deployed: XMRIG cryptocurrency miners
• Method: Automated scanning and exploitation at scale

Common TTPs Across All Groups:

• Automated scanning for vulnerable Next.js instances
• POST requests to /_flight endpoint with malicious payloads
• Web shell deployment for persistent access
• Credential harvesting from environment variables and server memory
• Data exfiltration and lateral movement to internal networks

Indicators of Compromise (IOCs)

HTTP Request Signatures:

POST /_flight HTTP/1.1
Content-Type: text/plain
User-Agent: Mozilla/5.0 (compatible; React-Exploit/1.0)

[Malicious Flight payload with eval/require/child_process references]

File System IOCs:

/tmp/.pwned
/var/www/.shell.php
/opt/app/.next/server/chunks/[random].js (modified)

Network IOCs:

Outbound connections to:
- 45.*.*.* (VPS providers in China)
- Command & control over port 443 (TLS-wrapped)
- Large data uploads to cloud storage (Mega, AWS S3 buckets in cn-north-1)

How to Fix This (Immediately)

Step 1: Identify Vulnerable Applications

# Check React version
npm list react

# Check Next.js version
npm list next

# Check if using App Router (vulnerable)
ls -la app/  # If this exists, you're using App Router

# Check for Server Components
grep -r "use server" app/

Step 2: Patch React

# Update to patched React versions
npm install react@19.0.1 react-dom@19.0.1
# OR
npm install react@19.1.2 react-dom@19.1.2
# OR
npm install react@19.2.1 react-dom@19.2.1

# Update Next.js (which will also update React)
npm install next@latest

# Verify versions
npm list react react-dom next

Step 3: Rebuild and Redeploy

# Clean build artifacts
rm -rf .next node_modules

# Reinstall dependencies
npm install

# Rebuild application
npm run build

# Deploy to production ASAP

Step 4: Check for Compromise

# Search logs for exploitation attempts
grep -i "/_flight" /var/log/nginx/access.log
grep -i "child_process\|require\|eval" /var/log/application/*.log

# Check for suspicious files
find /tmp -name ".*" -type f -mtime -7
find /opt/app -name "*.php" -o -name "*.jsp"

# Monitor outbound connections
netstat -an | grep ESTABLISHED | grep -v "443\|80"

Defense in Depth (Beyond Patching)

1. Web Application Firewall (WAF) Rules

# ModSecurity rule for blocking malicious Flight payloads
SecRule REQUEST_URI "@streq /_flight" \
    "id:1001,phase:2,deny,status:403,\
    msg:'Potential React2Shell exploitation attempt'"

# Block suspicious deserialization patterns
SecRule REQUEST_BODY "@rx (child_process|require\(|eval\()" \
    "id:1002,phase:2,deny,status:403,\
    msg:'Suspicious deserialization detected'"

2. Runtime Application Self-Protection (RASP)

// Add to next.config.js
module.exports = {
  experimental: {
    serverActions: {
      allowedOrigins: ['yourdomain.com'],
      bodySizeLimit: '1mb',
    },
  },
  headers: async () => [
    {
      source: '/_flight',
      headers: [
        {
          key: 'X-Robots-Tag',
          value: 'noindex',
        },
      ],
    },
  ],
};

3. Network Segmentation

Frontend (Next.js) → Only allow outbound to:
  - Database (internal)
  - API services (internal)
  - CDN (external, specific IPs)

Block all other outbound connections.

4. Monitoring & Alerting

# Example: Datadog monitor
name: "React2Shell Exploitation Detected"
query: |
  logs("@http.url_details.path:/_flight @http.method:POST")
  .rollup("count")
  .last("5m") > 10
notify:
  - "@security-team"
  - "@incident-response"

Why This Happened (The Root Cause)

React Server Components introduced a new attack surface: server-side deserialization of client-provided data.

The React team prioritized developer experience (seamless client-server data flow) over security (validating untrusted input). The Flight protocol assumed data came from trusted sources.

Assumption: "Clients won't send malicious data." Reality: Attackers absolutely will send malicious data.

Lessons:

1. Never trust client input - Even in "modern" frameworks
2. Deserialization is dangerous - Java learned this with CVE-2015-4852, now JavaScript
3. Defense in depth matters - Frameworks can't prevent all attacks
4. Update promptly - 3-hour exploit window is the new normal

The React Team's Response

To their credit, the React team:

• Acknowledged the vulnerability within hours
• Released patches within 24 hours
• Coordinated disclosure with major framework maintainers (Next.js, Remix)
• Published detailed security advisory

However:

• No CVE assigned initially (delayed by 2 days)
• Insufficient warning about default vulnerable configurations
• Limited guidance on detecting active exploitation

Security Recommendations for React Server Components

For organizations running React Server Components in production, security experts recommend:

1. Patch immediately - Not tomorrow, not next sprint, RIGHT NOW
2. Assume breach - Check logs for IOCs dating back to December 3rd (or earlier if CVE was exploited as zero-day)
3. Rotate credentials - Assume any secrets in your server environment may be compromised
4. Enable WAF rules - Block suspicious Flight payloads at the edge
5. Implement monitoring - Alert on anomalous /_flight requests with unusual patterns
6. Evaluate alternatives - Consider reverting to Pages Router if RSC isn't mission-critical

The Bigger Picture

React2Shell is part of a troubling trend:

2023: 22,254 CVEs reported (30% increase from 2022) 2024: JavaScript injection attacks compromised 100,000+ websites in a single campaign 2025: React, the framework marketed as "secure by default," has a CVSS 10.0 RCE

The supply chain is the attack surface. Modern web development means:

• 1,200+ npm packages in a typical Next.js app
• Automated dependencies you've never audited
• Framework vulnerabilities affecting millions of apps simultaneously

We can't patch our way out of this. We need:

• Better dependency auditing
• Runtime security monitoring
• Assume breach architecture
• Faster vulnerability disclosure

Final Thoughts

React didn't kill XSS. It didn't kill RCE either.

Frameworks provide convenience, not invincibility. Every abstraction is a potential attack surface.

If you're running React 19.0-19.2.0 with Server Components, you have a CVSS 10.0 vulnerability right now. Attackers are actively scanning for it. State-sponsored threat actors are exploiting it.

Patch. Today.

---

Need help responding to React2Shell? S6 Security Labs offers emergency incident response for compromised React/Next.js applications. Contact us immediately at security@s6securitylabs.com or call our emergency hotline.

Free Security Assessment: We're offering complimentary React2Shell vulnerability scans for the first 20 organizations that contact us. No strings attached.

---

References:

• React Security Advisory: CVE-2025-55182
• Wiz Research: React2Shell Exploitation
• Datadog Security Labs: CVE-2025-55182 Analysis
• Palo Alto Unit 42: React Server Components Exploitation
• Carnegie Mellon ISO: React2Shell Alert

Nigel Sweetman is the founder of S6 Security Labs and has been telling developers to never trust client input since before React was a thing. He still can't believe we're explaining why deserializing untrusted data is bad in 2025.