React2Shell CVE-2025-55182 Update Patch-Again, New Chinese Threat Actors Exploits for react and Next

React2Shell (CVE-2025-55182) is a pre-auth, single-request RCE impacting React Server Components and widely reachable Next.js deployments. Since December 3, exploitation has been observed in the wild at scale, with heavy probing and fast-moving follow-on vulnerabilities that forced teams to patch again. Check full details: https://phoenix.security/react2shell-...

In this video, Francesco Cipollone (CEO & Co-Founder, Phoenix Security) breaks down:
• Why React2Shell is operationally “weird”: massive probing, uneven exploitation
• The real attack workflow: discovery, validation, execution, post-exploitation, and exfiltration paths
• The “patch-again” reality with follow-up CVEs: CVE-2025-55184, CVE-2025-67779, CVE-2025-55183
• What threat actors are doing (including China-nexus activity tracked by major intelligence reporting)
• How to validate exposure safely using our open-source scanner and lab, and how Phoenix Security correlates external attack surface, code scanning, and ownership attribution

Important: Any demonstration shown is for controlled lab environments only. Do not test against systems you do not own or explicitly control.

Timestamps (chapters)

00:00 Intro: Francesco Cipollone, Phoenix Security
00:10 Why React2Shell is “weird” in real-world telemetry
00:21 Widespread reach: React Server Components and Next.js exposure
01:00 What’s new: follow-on CVEs, attack evolution, exfiltration paths
01:47 Affected components: React server-dom packages and Next.js
01:58 Follow-up vulnerabilities: CVE-2025-55184, CVE-2025-67779, CVE-2025-55183
02:43 Triage: how to know if you’re affected (prioritize web-facing)
03:14 Why this is severe: RCE parallels and attacker leverage
04:06 Post-exploitation: commands, secrets, lateral movement, cloud pivots
05:25 What’s vulnerable: webpack/parcel/turbopack and Next.js pathways
05:39 Follow-on CVEs: DoS and exposure risks, and why chaining still matters
06:10 Phoenix tooling: lab, scanners, and campaign-based tracking
06:49 Threat intel snapshot: actor activity, PoC release, detection spikes
07:31 Timeline recap: disclosure, PoC churn, and exposure counts
08:15 Phoenix Security view: correlate exposure, runtime, packages, ownership
09:41 CVE-2025-55182 Exploit Lab walkthrough: IOCs, payload folders, and lab structure
10:41 CVE-2025-55182 Exploit Lab up: vulnerable vs patched instances
10:55 Safe validation: scanner evidence collection against both instances
11:14 CVE-2025-55182 Exploit Lab-only impact verification and expected outcomes
12:09 What to prioritize first: public systems, low-friction exploitation
13:32 Fix strategy: upgrades, pinning versions, regression testing
14:12 Closing: scan, validate, track drift, stay safe


Resources referenced:
• React2Shell resources hub: https://phoenix.security/react2shell-...
• Deep technical anatomy: https://phoenix.security/react-nextjs...
• Exploitation timeline and updates: https://phoenix.security/react2shell-...
• Repo scanner + lab: https://github.com/Security-Phoenix-d...
• Web scanner: https://github.com/Security-Phoenix-d...
• IOC bundle: https://github.com/Security-Phoenix-d...

If you’re running Next.js with React Server Components, prioritize internet-facing workloads, validate production versions (not just CI), and treat exposed RSC paths as incident-grade until proven patched.

#React2Shell #CVE202555182 #Nextjs #ReactServerComponents #ASPM #VulnerabilityManagement #DevSecOps #ApplicationSecurity

⸻