React2Shell

React2Shell is the name used in the provided content for CVE-2025-55182, a critical unauthenticated remote code execution vulnerability in React Server Components (RSC) affecting Node.js servers and downstream frameworks such as Next.js. The flaw is described as stemming from unsafe deserialization in the RSC Flight protocol and can be triggered by a crafted HTTP POST request to exposed RSC or Server Action endpoints, allowing arbitrary code execution on affected servers. Reported affected components include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, with impacted ecosystems including React 19.x and Next.js 15.x/16.x using the App Router. The content states that exploitation began rapidly after disclosure and that React2Shell has been used both as a web server exploitation technique for initial footholds in containerized workloads and in broad internet exploitation campaigns. Observed post-exploitation activity includes credential theft, cryptomining, backdoor deployment, botnet integration, ransomware deployment, reverse shells, and theft of AWS configuration and credential files. Threat activity in the content is associated with TeamPCP for container initial access use, the RondoDox botnet for exploitation of vulnerable Next.js servers and deployment of malware and cryptominers, and China-linked actors including Earth Lamia, Jackpot Panda, UNC5174, and Salt Typhoon affiliates. Additional malware or tooling reportedly deployed via exploitation includes Mirai variants, SNOWLIGHT, VShell, Cobalt Strike, cryptominers, and LockBit 4.0. The content notes targeting across multiple sectors and geographies, including over 30 affected organizations across sectors, and describes indicators such as anomalous POST requests to /rsc or Server Action endpoints, child_process execution following RSC requests, rsc-action-id and vm# artifacts in logs, specific exploit payload patterns, and at least one cited IP address, 45.149.154.81.