What Happened

A critical vulnerability, identified as CVE-2025-55182, has been discovered in Next.js applications. This vulnerability, dubbed 'React2Shell', has become the attack vector for a massive credential-stealing campaign. Hackers have been actively exploiting this flaw since early October 2023, primarily targeting companies utilizing server-side rendering capabilities in Next.js apps. The campaign has been observed across multiple sectors, with a significant focus on industries with high-profile, enterprise-level web applications. The attackers' automated approach has allowed them to scale their operations quickly and effectively.

Reports from affected organizations began surfacing when unusual account activities and unauthorized access attempts were detected. Incident response teams traced the intrusions back to unpatched Next.js instances, confirming the use of React2Shell to gain remote code execution capabilities and extract sensitive data.

Technical Details

CVE-2025-55182 is a remote code execution (RCE) vulnerability impacting Next.js applications utilizing React.js for server-side rendering. The flaw stems from improper input validation within the Next.js rendering engine that allows threat actors to inject malicious payloads during the React hydration process. Identified attack vectors include specifically crafted HTTP requests that exploit this input validation weakness.

The vulnerability exists in Next.js versions 13.0 through 13.2.1, with CVSS v3 scores categorizing it as 9.8, given its ease of exploitation and potential impact. Attackers require no authentication to exploit this flaw, significantly lowering the barrier to entry for potential intruders. Indicators of Compromise (IOCs) related to this campaign include anomalous inbound web traffic patterns, unexpected processes initiated by the Node.js runtime, and unusual database access logs.

Impact

Organizations using vulnerable versions of Next.js are at risk due to this exploit's capacity to enable extensive data breaches. Key affected parties include large enterprises dependent on web applications for customer interactions and internal operations. Successful exploitation allows attackers to harvest user credentials, leading to unauthorized data access, potential data leaks, and further internal compromise.

The scale of attacks exacerbates the risk as attackers can indiscriminately target large swathes of potentially vulnerable systems. Organizations reporting breaches have noted downstream consequences, such as reduced customer trust, increased incident response costs, and subsequent compliance challenges.

What To Do

  • Patch Next.js Applications: Apply the latest security patches provided by the Next.js development team, upgrading to at least version 13.2.2 or newer.
  • Implement WAF Rules: Deploy Web Application Firewall (WAF) rules to detect and block malicious payloads that exploit CVE-2025-55182.
  • Monitor Network Traffic: Use anomaly detection tools to identify unusual patterns indicative of credential theft attempts.
  • Conduct Security Audits: Regularly perform comprehensive audits of application code and configurations to ensure proper input validation mechanisms are in place.
  • Educate and Train Staff: Ensure DevOps and security teams are aware of this vulnerability and trained in identifying and responding to such threats.

Applying these measures is critical to mitigate the risks associated with CVE-2025-55182. The potential for exploitation will persist in environments where patches and security improvements have not been instituted. Thorough and immediate actions are necessary to protect sensitive data and maintain operational integrity.

Related: