Threat Intelligence 7 min read

React2Shell: CVE-2025-55182 in Next.js Compromises 766 Servers and Automatically Harvests Credentials and Secrets

Key Takeaways

  • CVE-2025-55182: CVSS 10.0, unauthenticated RCE in Next.js App Router via RSC Flight protocol
  • 766 confirmed compromised hosts, automated credential harvesting
  • C2 server features a 'NEXUS Listener' GUI with analytics dashboard
  • Cisco Talos tracks the group as UAT-10608
  • Next.js powers millions of sites; the exposure surface is massive

CVE-2025-55182: Remote Code Execution in Next.js, CVSS 10.0

CVE-2025-55182, named React2Shell by the researchers who discovered it, is an unauthenticated remote code execution (RCE) vulnerability in the React Server Components (RSC) Flight protocol, as implemented in Next.js App Router. It receives the maximum CVSS score of 10.0.

Next.js is one of the most widely used JavaScript frameworks in the world. Deployed across millions of websites, from SaaS applications to e-commerce platforms and enterprise dashboards, a CVSS 10.0 in this framework represents an attack surface of exceptional scale. The vast majority of modern Next.js applications use the App Router and React Server Components, meaning that virtually all recent installations are potentially vulnerable.

The Technical Flaw: RSC Flight Protocol

React Server Components (RSC) is a paradigm introduced in React 18 allowing components to execute exclusively on the server side, with results transmitted to the client via a proprietary serialization format called the RSC Flight Protocol. This protocol enables Next.js to transfer structured data between server and client without going through a traditional REST API.

The vulnerability CVE-2025-55182 resides in the server-side handling of RSC Flight requests. An attacker can send malformed RSC Flight requests without any prior authentication and obtain arbitrary code execution with the privileges of the Next.js process on the server. In practice, these processes often run with elevated permissions and have access to all environment variables on the system, which constitutes the primary exfiltration vector exploited by UAT-10608.

Wiz Research, which contributed to the vulnerability analysis, describes the exploitation vector as “trivial”: no preconditions, no token or session required, exploitable directly from the internet against any exposed Next.js server.

UAT-10608: An Organized Group with Professional Infrastructure

Cisco Talos tracks as UAT-10608 the group behind the active exploitation campaign of CVE-2025-55182. Analysis of the command and control (C2) infrastructure reveals a level of organization that distinguishes UAT-10608 from opportunistic operators.

The C2 server hosts a web interface named “NEXUS Listener”, featuring an analytics dashboard comparable to those of commercial platforms. The interface displays in real time:

  • The list of compromised hosts with status and timestamp
  • Harvested credentials by category (database, SSH, cloud, API)
  • Exploitation metrics (success rates by target type, exfiltrated data volumes)
  • A post-exploitation task queue allowing deployment of additional scripts on compromised hosts

This professional interface suggests either a well-organized group with significant development resources, or the use of a commercial or semi-commercial intrusion campaign management framework.

Automated Credential Harvesting: The Complete Catalog

The post-exploitation automation deployed by UAT-10608 is designed to systematically extract every category of secrets accessible on a compromised Next.js server:

Database credentials. The files .env, .env.local, .env.production, and .env.development are the first targets. These files typically contain database connection strings (PostgreSQL, MySQL, MongoDB, Redis) including usernames and passwords. Configurations in next.config.js are also analyzed.

SSH keys. The ~/.ssh/ directories accessible to the Next.js process are searched to extract RSA, ECDSA, and Ed25519 private keys. In CI/CD environments, these keys can provide access to source code repositories and deployment servers.

AWS and other cloud provider secrets. AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) are prioritized because they often enable pivoting to the victim’s entire cloud infrastructure. Google Cloud, Azure, and other cloud provider credentials are also harvested.

Third-party API tokens. Stripe API keys (secret keys enabling financial transactions), GitHub tokens (access to private repositories potentially including the entire source code), Twilio, SendGrid, Mailgun, and other SaaS services used by applications.

Shell history. The files .bash_history, .zsh_history, and equivalents are harvested. These files frequently contain commands including tokens or passwords passed as arguments, a source of information often overlooked by defenders.

Of the 766 confirmed compromised hosts identified by Cisco Talos and Qualys, virtually all presented at least one category of exposed secrets. Multiple victims presented secrets providing direct access to payment systems or complete cloud environments.

Exposure Assessment

Next.js is massive. According to Wappalyzer and BuiltWith data, Next.js powers more than 10% of websites using an identifiable JavaScript framework, representing several million installations. Among these, a significant proportion uses the App Router introduced in Next.js 13, and therefore RSC.

The version distribution across Next.js deployments is notorious for slow update adoption. Many Next.js applications are deployed without automatic update processes, running on versions often several minor releases behind. CVE-2025-55182 affects recent versions of Next.js, meaning that even recent installations are vulnerable if the patch has not been applied.

The supply chain dimension of this vulnerability is also significant. Next.js-based applications are often deployed as part of larger platforms, headless CMS setups, or third-party services. Organizations may be exposed through Next.js instances they did not directly build or maintain.

Remediation Procedure and Incident Response

Immediate remediation:

  1. Identify all Next.js App Router applications in your environment, including third-party hosted applications or SaaS applications using Next.js.
  2. Apply the CVE-2025-55182 patch available via npm update next to the fixed version published by Vercel.
  3. Consider any Next.js server exposed before patching as potentially compromised, regardless of the absence of visible intrusion traces.

Secret rotation:

Secret rotation is non-negotiable after exposure to CVE-2025-55182. If your Next.js server was exposed and unpatched, perform a complete rotation of all accessible secrets: database credentials, API keys, OAuth tokens, SSH keys. Do not limit rotation to secrets visibly exfiltrated; harvesting may have occurred without leaving traces in your application logs.

Searching for indicators of compromise:

Check the logs of your third-party services (AWS CloudTrail, GitHub audit log, Stripe dashboard) to detect anomalous access from unexpected IP addresses coinciding with the exposure period. UAT-10608’s scripts generate characteristic access patterns that SOC teams can identify with the appropriate queries.

Longer-term controls:

Prevent direct internet exposure of Next.js servers where possible by deploying behind a WAF or reverse proxy that can filter malformed RSC Flight requests. Implement secrets management through dedicated vaults (AWS Secrets Manager, HashiCorp Vault) rather than environment files to limit what is accessible to the application process. Apply the principle of least privilege to the credentials stored in your Next.js environment: the application should only have the minimum permissions it needs to function.

The Broader Supply Chain Risk

React2Shell is a textbook example of framework-level vulnerabilities with cascading supply chain implications. When a vulnerability affects a foundational framework used by millions of applications, the exploitable surface extends far beyond organizations that directly maintain Next.js servers.

SaaS providers built on Next.js may expose their customers’ data. E-commerce platforms may expose payment credentials. Internal tools may provide pivot points into production infrastructure. Security programs must account for the framework layer as part of their attack surface management, not just the application code written on top of it.

These are affiliate links. If you make a purchase through these links, we may receive a commission at no additional cost to you.

  • Cybersecurity Essentials: practical strategies for secrets management, indicator of compromise detection, and incident response in modern application environments.
  • CISSP Official Study Guide: comprehensive coverage of application security principles and credential management in distributed architectures.

After a potential React2Shell compromise, rotating and securely managing all your team’s passwords and secrets is critical. NordPass enables your teams to centralize credential management and enforce systematic rotation without operational friction.

Sources

#React2Shell #Next.js #CVE #credential-harvesting #UAT-10608 #supply-chain
Share :

Advertisement

Related Articles

Axios Compromised on npm: North Korea Targets 100 Million Downloads Per Week

Handala hacks FBI director's email: Iran's $10 million answer

LiteLLM compromised on PyPI: TeamPCP chains Trivy, Checkmarx, LiteLLM in 5 days