It is being reported that a ransomware gang is exploiting the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to corporate networks and deploy the file-encrypting malware less than a minute later.
Outpost24 researchers just recently published an in-depth look at the React2Shell vulnerability, diving into what exactly the vulnerability is, how the exploit works, its exploitation characteristics, as well as practical detection, remediation tips, and risk management implications.
The team commented, “The RSC model is designed to let servers return rendered UI fragments to clients efficiently. Behind this capability is a serialization and deserialization protocol, often called the Flight protocol that encodes component data and function calls for transport between client and server.
The React2Shell vulnerabilities arise because the deserialization logic in the Flight protocol does not validate untrusted data fully. When a server receives a maliciously crafted Request payload, the decoder may incorporate attacker-controlled values into internal objects and execution paths. This missing validation allows an attacker to control execution flow and trigger arbitrary code execution in the server process context.
Since Next.js builds on the same underlying React RSC infrastructure, applications that include RSC support (especially with the App Router) are also affected unless they have been updated to include the patched React implementation.”
For full details, the analysis can be found here: https://outpost24.com/blog/react2shell-cve-2025-55182-react-vulnerability/
Related
This entry was posted on December 17, 2025 at 12:55 pm and is filed under Commentary with tags Outpost24. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Understanding React2Shell: Critical Remote Code Execution in React Server Components and Next.js
It is being reported that a ransomware gang is exploiting the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to corporate networks and deploy the file-encrypting malware less than a minute later.
Outpost24 researchers just recently published an in-depth look at the React2Shell vulnerability, diving into what exactly the vulnerability is, how the exploit works, its exploitation characteristics, as well as practical detection, remediation tips, and risk management implications.
The team commented, “The RSC model is designed to let servers return rendered UI fragments to clients efficiently. Behind this capability is a serialization and deserialization protocol, often called the Flight protocol that encodes component data and function calls for transport between client and server.
The React2Shell vulnerabilities arise because the deserialization logic in the Flight protocol does not validate untrusted data fully. When a server receives a maliciously crafted Request payload, the decoder may incorporate attacker-controlled values into internal objects and execution paths. This missing validation allows an attacker to control execution flow and trigger arbitrary code execution in the server process context.
Since Next.js builds on the same underlying React RSC infrastructure, applications that include RSC support (especially with the App Router) are also affected unless they have been updated to include the patched React implementation.”
For full details, the analysis can be found here: https://outpost24.com/blog/react2shell-cve-2025-55182-react-vulnerability/
Share this:
Like this:
Related
This entry was posted on December 17, 2025 at 12:55 pm and is filed under Commentary with tags Outpost24. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.