Microsoft has detailed critical mitigations for the React2Shell RCE vulnerability (CVE-2025-55182), a pre-authentication remote code execution flaw that gravely impacts React Server Components and Next.js environments. This vulnerability, carrying a maximum CVSS score of 10.0, allows threat actors to compromise servers with a single malicious HTTP request, with exploitation attempts first observed on December 5, 2025, targeting both Windows and Linux systems successfully.
The vulnerability arises from how the React Server Components ecosystem processes data via the Flight protocol. When a client requests data, the server parses the incoming payload to execute server-side logic. However, inadequate input validation permits attackers to inject malicious structures that the server incorrectly accepts as legitimate. This leads to prototype pollution, ultimately enabling attackers to execute arbitrary code on the underlying server.
Infection Mechanism and Persistence with React2Shell RCE Vulnerability
Microsoft analysts observed that malware campaigns exploiting the React2Shell RCE vulnerability typically commence with a crafted POST request directed at a vulnerable web application. Upon deserialization of this input by the backend, malicious code is executed within the Node.js runtime, bypassing standard security measures. The inherent trust configuration in these environments makes the vulnerability particularly dangerous, as it requires no special setup or user interaction to exploit, leaving many enterprise systems at risk.
Once initial access is achieved, threat actors are observed to rapidly establish persistence and expand their control within the compromised network. The attack chain frequently involves the deployment of reverse shells that establish connections back to attacker-controlled Cobalt Strike servers, facilitating sustained remote access. According to Microsoft’s analysis, attackers are observed to utilize remote monitoring and management tools like MeshAgent or modify system files, such as authorized_keys, to maintain access even after system reboots.
To evade detection, attackers may employ techniques such as bind mounts to conceal malicious processes from system monitoring tools. Further analysis indicates a diverse range of payloads being delivered, including remote access trojans like VShell and EtherRAT, as well as XMRig cryptominers. The observed reverse shell mechanisms highlight the command structures employed during these intrusions.
Beyond gaining immediate control, attackers are actively enumerating system details and environment variables to steal cloud identity tokens for Azure, AWS, and Google Cloud Platform. This credential theft is critical for enabling lateral movement across cloud resources, significantly amplifying the potential impact of a breach on organizations relying on these integrated services.
Microsoft has released details on the mitigations and detection methods for this critical vulnerability. Organizations utilizing React Server Components and Next.js environments are strongly advised to apply the provided patches and security recommendations promptly to safeguard against further exploitation. The ongoing monitoring of these campaigns will be crucial to understand the evolving tactics of threat actors leveraging this severe flaw.