React is a JavaScript library used to build interactive user interfaces using reusable components. React Server Components (RSC) extend this model by allowing certain components and logic to run on the server, rather than in the browser.
Frameworks like next.js heavily rely on RSC, making security flaws in this area especially impactful.
Vulnerability Overview
CVE-2025-55182 is a critical remote code execution (RCE) vulnerability in React Server Components.
- Attack type: Remote Code Execution
- Authentication required: No
- User interaction: None
- Severity: Critical
- Affected ecosystem: React RSC, Next.js
An attacker can send a crafted request to an RSC endpoint and execute arbitrary code on the server.
Vulnerability Deep Dive
React Server Components use a custom wire format called the flight protocol.
The Flight payload is responsible for:
- Transmitting server-rendered component output
- Passing props and resources
- Referencing server functions
- Reconstructing a JavaScript object graph on the server
When a server receives a Flight request:
- Reacts decodes the payload
- Resolves references
- Rebuilds JavaScript objects
- Executes server-side logic as needed
This decoding step is where the vulnerability exists.
Root Cause
The root cause of the vulnerability lies in how object properties were resolved during decoding of Flight protocol data.
When react decoded incoming payloads, it used property names supplied by the payload to access values on JavaScript objects without checking whether those properties belonged to the object itself.
In JavaScript, accessing a property like object[key] does not limit the lookup to properties explicitly defined on object.
If the property is not found, JavaScript automatically continues searching up the prototype chain. This behaviour becomes dangerous when the property name (key) is attacker-controlled.
Exploit mechanics
- Attacker sends a crafted Flight payload via POST to a framework route that accepts RSC/Server Function payloads.
- If multipart is used, Busboy parses the stream and emits chunks consumed by react’s decoder.
- Decoder resolves references using attacker-influenced property names without own-property checks.
- Prototype-chain properties become reachable, enabling gadget-based escalation to RCE.
Patch analysis
The patch synchronizes server-side and client-side flight protocol handling and fixes a critical security issue by hardening how react server components decode and resolve module exports. It adds explicit own-property checks using hasOwnProperty before returning values from module export objects, preventing attacker-controlled keys from resolving inherited prototype properties. Additionally, it improves multipart payload decoding robustness by adding error handling around field and file processing. Together, these changes stop unsafe property resolution that previously enabled prototype-chain access during deserialization.
Exploitation Activity and Related Malware Campaigns
| Malware Campaigns
|
Exploitation Chain involving React2Shell |
| Cryptojacking Campaign | The attackers exploited React2Shell to execute a dropper bash script that downloaded multiple second-stage payloads, including additional scripts and gzip-compressed files.
|
| Cryptojacking Campaign
|
Attackers abused the vulnerability to deploy Mirai botnet components and xmrig crypto miners for large-scale cryptojacking.
|
| UNC6600 – MINOCAT | Attackers exploited the vulnerability to gain remote code execution and executed bash scripts that deployed the MINOCAT tunneler, enabling persistence and covert network access.
|
| UNC6586 – SNOWLIGHT | Using curl or wget, attackers retrieved and executed the SNOWLIGHT downloader, which functions as a backdoor and enables additional payload delivery.
|
| UNC6588 – COMPOOD | Attackers used wget to download and execute the COMPOOD backdoor, which masquerades as a legitimate binary to maintain persistent access.
|
Mitigation & Recommendations
- Upgrade React / RSC packages (primary fix)
Upgrade to patched React releases that pull in fixed RSC server packages (react-server-dom-webpack / react-server-dom-parcel / react-server-dom-turbopack) e.g., 19.0.1 / 19.1.2 / 19.2.1 (or newer).
- Reduce exposure of Server Action / RSC routes
Where feasible, ensure server action/RSC handling routes are not publicly exposed without appropriate access control.
- Deploy IPS/WAF rules
Use IPS signatures or WAF custom rules to detect and block multipart payloads containing prototype pollution keys or malformed flight markers.
Quick Heal protection
All Quick Heal customers are protected from this vulnerability using below signatures:
- HTTP/CVE-2025-55182!VS.50159
- HTTP/CVE-2025-55182!VS.50160
- HTTP/CVE-2025-55182!VS.50161
- HTTP/CVE-2025-55182!VS.50162
Authors:
Vinay Kumar
Adrip Mukherjee
Vineet Sarote
