CVE-2025-55182 React2Shell: 766 Next.js Hosts Breached in 24 Hours
If you run Next.js in production, stop what you are doing and check your version. CVE-2025-55182, nicknamed React2Shell, is a CVSS 10.0 remote code execution vulnerability in React Server Components. A single unauthenticated HTTP POST request gives an attacker a shell on your server. No special configuration needed. A default create-next-app project built for production is exploitable out of the box.
A threat group tracked as UAT-10608 automated the whole thing and breached 766 Next.js hosts within 24 hours. They stole database credentials from 91.5% of those hosts and SSH keys from 78.2%. This is not theoretical. It happened.
Here is what you need to know and what to do about it.
TLDR
| Detail | Info |
|---|---|
| CVE | CVE-2025-55182 |
| Nickname | React2Shell |
| CVSS Score | 10.0 (Critical) |
| Vulnerability | Unsafe deserialization in React Server Components |
| Attack Vector | Single unauthenticated HTTP POST request |
| Affected | Next.js 13.3+ through 16.x with App Router |
| Hosts Breached | 766 in 24 hours |
| Fix | Update to latest patched version + rotate all secrets |
What Happened
Security researcher Lachlan Davidson discovered the vulnerability on November 29, 2025 and reported it to the React team. The timeline from there was fast:
| Date | Event |
|---|---|
| Nov 29, 2025 | Vulnerability reported |
| Dec 3, 2025 | Public disclosure and patch |
| Dec 4, 2025 | PoC published, roughly 30 hours after the patch |
| Dec 4, 2025 | Active exploitation begins immediately |
| Dec 3-11, 2025 | Cloudflare blocks 582 million exploit attempts |
| Apr 2, 2026 | Cisco Talos publishes research on the 766-host breach |
Darktrace deployed a honeypot after the PoC went live. It was attacked within two minutes.
How the Exploit Works
The vulnerability sits in React's Flight protocol, the serialization format that React Server Components use to communicate between client and server. When a server component receives data from the client, it runs it through a function called decodeReply. That function does not properly validate the types of objects it reconstructs.
An attacker can craft a payload that chains prototype lookups to reach JavaScript's Function constructor, which is effectively eval(). The attack requires one POST request:
curl -X POST https://your-app.com/ \
-H "Next-Action: foo" \
-H "Content-Type: multipart/form-data; boundary=----formdata" \
--data-binary @payload.bin
The Next-Action header value does not matter. Even foo triggers the vulnerable code path.
The Prototype Chain
The exploit payload uses self-referencing objects to traverse the prototype chain:
[] -> Array -> Array.constructor (Function) -> Function.constructor (Function)
|
Function('malicious code')
|
require('child_process').execSync('...')
The simplified version:
- The payload includes an empty array
[] - A reference traverses
Array.constructor.constructor, which resolves to the nativeFunction()constructor - The payload forces Promise-like treatment during deserialization, which invokes
.then()handlers - Those handlers execute attacker-controlled code through the Function constructor
- The attacker loads
child_processand runs arbitrary commands
The whole payload is about 700-800 bytes. One request, no auth, full RCE.
The critical detail: your app is vulnerable even if you never wrote a Server Action. The App Router enables RSC by default, and the vulnerable decodeReply endpoint is reachable on any Next.js app using it.
The 766-Host Breach
Cisco Talos tracked the largest exploitation campaign to a group called UAT-10608. They automated everything - scanning, exploitation, and credential harvesting.
What They Stole
From 766 compromised hosts:
- 91.5% leaked database credentials (connection strings with cleartext passwords)
- 78.2% exposed private SSH keys
- AWS access keys and secrets
- Azure subscription credentials
- Stripe live secret keys
- GitHub and GitLab tokens
- AI platform keys (OpenAI, Anthropic, NVIDIA NIM)
- SendGrid and Brevo API keys
- Kubernetes tokens
- Shell command history
The group runs a C2 interface called NEXUS Listener with a web GUI that shows precompiled stats on credentials harvested per host.
Who Else Exploited It
UAT-10608 was not alone:
- China-nexus groups (Earth Lamia, Jackpot Panda) started exploiting within hours of disclosure, per AWS threat intelligence
- Opportunistic attackers deployed Mirai botnet variants and XMRig crypto miners
- Targeted attacks hit government (.gov) sites, nuclear fuel authorities, and enterprise password managers according to Cloudflare
Are You Affected?
Check Your Version
# Check Next.js version
npx next --version
# Or from package.json
cat package.json | grep '"next"'
You are vulnerable if you run:
| Branch | Vulnerable | Patched |
|---|---|---|
| 14.x | 14.0.0 - 14.2.34 | 14.2.35 |
| 15.0.x | 15.0.0 - 15.0.7 | 15.0.8 |
| 15.1.x | 15.1.0 - 15.1.11 | 15.1.12 |
| 15.2.x | 15.2.0 - 15.2.8 | 15.2.9 |
| 15.3.x | 15.3.0 - 15.3.8 | 15.3.9 |
| 15.4.x | 15.4.0 - 15.4.10 | 15.4.11 |
| 15.5.x | 15.5.0 - 15.5.9 | 15.5.10 |
| 16.0.x | 16.0.0 - 16.0.10 | 16.0.11 |
| 16.1.x | 16.1.0 - 16.1.4 | 16.1.5 |
Any Next.js version from 13.3 onward using the App Router is affected.
Check Your Logs
# Search for exploitation attempts
grep -i "next-action" /var/log/nginx/access.log
# Known scanner signatures
grep -E "Nuclei.*CVE-2025-55182|React2ShellScanner|python-requests/2.32" \
/var/log/nginx/access.log
Look for:
- POST requests with
Next-Actionheaders from unknown IPs - Outbound connections to ports 3000-3011
- Unexpected function timeouts or process crashes since December 4, 2025
What to Do Right Now
1. Patch
# Vercel's automated tool (easiest)
npx fix-react2shell-next
# Or update manually
npm install next@latest
# Or update React core directly
npm install react@latest react-dom@latest react-server-dom-webpack@latest
2. Rotate All Secrets
If your app ran an unpatched version after December 4, 2025 - even for a few hours - assume your environment variables were exfiltrated. Rotate everything:
- Database credentials
- SSH keys (regenerate, do not just change the passphrase)
- AWS access keys and secrets
- Azure and GCP service account credentials
- Stripe API keys
- GitHub and GitLab tokens
- Third-party API keys (OpenAI, SendGrid, Twilio, etc.)
- JWT signing secrets
- Session secrets and encryption keys
- Any other value in your
.env
This is not optional. The attackers' automated scripts harvested everything they could find.
3. Harden Your Infrastructure
# Enforce IMDSv2 on AWS EC2 (blocks SSRF credential theft)
aws ec2 modify-instance-metadata-options \
--instance-id i-1234567890abcdef0 \
--http-tokens required \
--http-endpoint enabled
Other steps:
- Enable secret scanning in GitHub/GitLab
- Stop reusing SSH keys across environments
- Use short-lived credentials where possible (AWS STS, GCP workload identity)
- Enforce least privilege on all service accounts
- Monitor for lateral movement from compromised credentials
4. WAF Rules
Cloudflare deployed WAF rules on both paid and free tiers that block known exploit patterns. But their own advisory says WAF rules "cannot guarantee protection against all possible variants." Patching is the only real fix.
Related Vulnerabilities
React2Shell was not the only Next.js issue discovered recently:
| CVE | CVSS | What It Does |
|---|---|---|
| CVE-2025-29927 | 9.1 | Middleware auth bypass via header spoofing |
| CVE-2025-55183 | 5.3 | Server Function source code exposure |
| CVE-2025-55184 | 7.5 | DoS via cyclical Promise references |
| CVE-2025-67779 | 7.5 | DoS, incomplete fix for CVE-2025-55184 |
| CVE-2026-23864 | 7.5 | Denial of Service in RSC |
If you are patching for React2Shell, update to the latest version in your branch. It covers all of these.
Why This Matters for DevOps Teams
Three things stand out:
The patch-to-exploit window is shrinking. Thirty hours from patch to weaponized PoC. Two minutes from deploying a honeypot to receiving attacks. If your patching process takes days or weeks, you are operating on borrowed time.
Default configurations can kill you. A standard create-next-app project is vulnerable without the developer writing any server function code. The vulnerable endpoint exists just because the App Router is enabled. Millions of Next.js apps were exposed by default.
Secrets in environment variables are a single point of failure. When 91.5% of breached hosts leaked database credentials, that tells you most teams store everything in env vars with no additional layer of protection. Consider secrets managers, short-lived credentials, and the principle of least privilege for service accounts.
Key Takeaways
- Check your Next.js version right now. If you are on anything before the patched versions listed above, update immediately.
- Rotate every secret if you were unpatched after December 4, 2025.
- Check your logs for
Next-Actionheader exploitation attempts. - Enforce IMDSv2 on AWS instances to prevent SSRF credential theft.
- Stop reusing SSH keys across environments.
- Update your patching SLAs. A 30-hour exploit window means "patch within a week" is no longer good enough for critical CVEs.
The 766 hosts breached by UAT-10608 are the ones we know about. The real number is almost certainly higher.
Sources: Cisco Talos, React Security Bulletin, Vercel, Wiz, Cloudflare, AWS
We earn commissions when you shop through the links below.
DigitalOcean
Cloud infrastructure for developers
Simple, reliable cloud computing designed for developers
DevDojo
Developer community & tools
Join a community of developers sharing knowledge and tools
Acronis
The most secure backup
Acronis: the most secure backup solution for your data
Pluralsight
Technology skills platform
Expert-led courses in software development, IT ops, data, and cybersecurity
Want to support DevOps Daily and reach thousands of developers?
Become a SponsorFound an issue?