React2Shell (CVE-2025-55182): Technical Analysis of RSC Flight Decoder Remote Code Execution (CVSS 9.8)
Estimated reading time: 6 minutes
Key Takeaways:
- Critical Severity: CVE-2025-55182 allows unauthenticated remote code execution (RCE) with a CVSS score of 9.8.
- Root Cause: The vulnerability stems from prototype pollution during the decoding of the React Flight protocol due to missing “own-property” checks.
- Active Exploitation: Multiple threat actors, including UNC6600 and UNC6586, are actively using the exploit to deploy botnets, miners, and backdoors.
- Urgent Mitigation: Organizations must update React and Next.js to patched versions (19.0.1+) and implement specific security monitoring for RSC endpoints.
Table of Contents:
- Vulnerability Overview: CVE-2025-55182
- Vulnerability Deep Dive: The Flight Protocol
- Root Cause: Prototype Pollution
- Exploit Mechanics and Execution Flow
- Exploitation Activity and Malware Campaigns
- Technical Patch Analysis
- Practical Takeaways for Stakeholders
- PurpleOps Technical Expertise
- Frequently Asked Questions
Vulnerability Overview: CVE-2025-55182 (CVSS 9.8)
CVE-2025-55182 is a critical-severity RCE vulnerability that requires no authentication and no user interaction. It impacts the decoding process of the React Server Components wire format, known as the Flight protocol. By submitting a specifically crafted Flight payload to an endpoint that processes RSC or Server Function requests, an attacker can achieve arbitrary code execution on the server.
The vulnerability stems from an insecure property resolution during the deserialization of the JavaScript object graph. Because frameworks like Next.js integrate RSC deeply into their architecture, the attack surface for CVE-2025-55182 is extensive, affecting any public-facing route that accepts RSC-specific payloads.
Our cyber threat intelligence platform has tracked the rapid weaponization of this flaw, identifying multiple malware campaigns that utilize React2Shell to gain initial access to enterprise environments.
Vulnerability Deep Dive: The Flight Protocol
To understand CVE-2025-55182, one must analyze the React Flight protocol. React Server Components operate by splitting the rendering process between the server and the client. The Flight protocol is the custom wire format used to transmit the server-rendered output to the client.
The Flight payload performs several functions:
- Rendering Output: Transmits the serialized output of server-rendered components.
- Resource Passing: Handles transmission of props and resources for client-side hydration.
- Function Referencing: Allows the client to reference and invoke server functions (Server Actions).
- Graph Reconstruction: Facilitates rebuilding complex JavaScript object graphs on the server during a request.
When a server receives an RSC request, the React decoder processes the incoming Flight stream. This process involves resolving references, rebuilding object structures, and executing logic defined within the server components. The vulnerability is located precisely within this decoding and object reconstruction phase.
Root Cause: Prototype Pollution via Insecure Property Lookup
The technical root cause of CVE-2025-55182 is the absence of “own-property” checks during the decoding of Flight protocol data. In JavaScript, objects can access properties defined on themselves or inherited through the prototype chain. A common pattern for accessing a property is object[key].
If the key is controlled by an external input and the application does not verify that the property belongs specifically to that object instance, JavaScript will search up the prototype chain until it finds a match. During the decoding of the Flight payload, React used attacker-supplied property names to access values on JavaScript objects.
By supplying keys like __proto__ or other inherited properties, an attacker could force the decoder to interact with the prototype chain. This behavior allows for prototype pollution or the manipulation of object resolution. When the decoder attempts to resolve module exports or execute server-side logic based on these polluted objects, it triggers arbitrary code execution.
Exploit Mechanics and Execution Flow
The exploitation of CVE-2025-55182 follows a structured sequence:
- Payload Delivery: The attacker initiates a POST request to a framework route (e.g., a Next.js route) that accepts RSC payloads.
- Parsing: Many implementations use libraries like
Busboyto parse multipart/form-data streams. - Insecure Decoding: The decoder processes the payload to resolve references. Without “own property” checks, it resolves attacker-influenced keys against the prototype chain.
- Gadget Activation: By manipulating the object structure, the attacker directs execution toward a “gadget”-code that performs unintended actions like executing shell commands.
- Code Execution: The server executes arbitrary commands, typically resulting in a reverse shell.
Monitoring these types of attacks requires real-time ransomware intelligence and advanced capabilities, as the exploit often bypasses traditional signature-based security layers.
Exploitation Activity and Malware Campaigns
The disclosure of CVE-2025-55182 was followed by immediate exploitation in the wild by several distinct threat actors.
Cryptojacking and Botnet Deployment: Attackers have integrated React2Shell into automated scripts to deploy the Mirai botnet and XMRig miners. These activities are frequently discussed in restricted circles, making underground forum intelligence a vital component for early detection.
UNC6600 – MINOCAT: This threat actor group has been observed exploiting CVE-2025-55182 to deploy the MINOCAT tunneler. This allows for persistent, covert network access, enabling them to bypass firewalls and maintain a foothold.
UNC6586 – SNOWLIGHT: UNC6586 utilizes standard utilities like curl within the React2Shell exploit to retrieve the SNOWLIGHT downloader, a versatile backdoor used for system profiling. This highlights the importance of supply-chain risk monitoring for organizations relying on third-party JavaScript frameworks.
UNC6588 – COMPOOD: This campaign involves the deployment of the COMPOOD backdoor, often renamed to masquerade as a system process for long-term data exfiltration.
Our telegram threat monitoring services have identified exploit PoCs being traded before widespread public knowledge, emphasizing the need for a proactive dark web monitoring service.
Technical Patch Analysis
The fix for CVE-2025-55182 focuses on hardening the decoding logic within React server-side packages. The patch introduces the following critical changes:
- Own-Property Validation: The decoder now explicitly uses
hasOwnPropertychecks before returning values, preventing the resolution of inherited prototype properties. - Multipart Robustness: Update includes stricter validation around field and file processing to prevent malformed Flight markers from being processed.
- Protocol Synchronization: Ensures server-side and client-side Flight protocol handling are synchronized to reduce deserialization attack vectors.
Practical Takeaways for Technical and Non-Technical Stakeholders
For Technical Teams and Engineers:
- Verify Package Versions: Audit
package.jsonfor React and Next.js. Vulnerable versions include those prior to 19.0.1, 19.1.2, and 19.2.1. - Implement IPS Signatures: Look for multipart payloads containing prototype-related keys (e.g.,
__proto__) targeted at RSC endpoints. - Analyze Server Logs: Scan for unusual POST requests and high volumes of 500 errors.
- Utilize Live Ransomware API: Integrate a live ransomware API into your SIEM to correlate RSC traffic with known malicious IP addresses.
For Business Leaders and Executives:
- Assess Supply Chain Risk: Prioritize supply-chain risk monitoring as core library flaws represent significant business risk.
- Invest in Continuous Monitoring: Point-in-time assessments are insufficient. Use a dark web monitoring service to receive brand leak alerting.
PurpleOps Technical Expertise
PurpleOps provides the infrastructure required to defend against sophisticated RCE vulnerabilities like React2Shell. Through our and red team operations, we simulate advanced exploitation scenarios to identify weaknesses in serialized data handling.
By combining cyber threat intelligence platform data with manual analysis, we provide a comprehensive view of the threat landscape. Our dark web monitoring service further extends this protection by providing underground forum intelligence and telegram threat monitoring.
For organizations requiring detailed assessment of their exposure to CVE-2025-55182, PurpleOps offers specialized PurpleOps Solutions ranging from technical audits to the implementation of our unified security platform.
Frequently Asked Questions
What is React2Shell?
React2Shell is the name given to the exploitation of CVE-2025-55182, a critical vulnerability in React Server Components that allows remote code execution.
Which frameworks are affected by CVE-2025-55182?
Primarily Next.js and other frameworks that utilize React Server Components (RSC) and the Flight protocol for data transmission.
Do I need to be authenticated to be exploited?
No, this is an unauthenticated RCE, meaning an attacker can execute code by sending a crafted request to any public endpoint that processes RSC data.
How do I mitigate this vulnerability?
The primary mitigation is updating React and related packages to versions 19.0.1 or higher. Next.js users should update to the latest stable release containing these patches.
Is there a way to detect exploitation attempts?
Yes, by monitoring web server logs for specific RSC-related POST requests and using WAF/IPS signatures that detect prototype pollution strings in multipart payloads.