• Monday, December 22, 2025

What is React2Shell ?

 

React2Shell (CVE-2025-55182) is a critical Remote Code Execution (RCE) vulnerability disclosed on December 3, 2025. It affects React Server Components (RSC) used in certain Next.js applications. If exploited, an attacker could send a specially crafted request that may allow unauthorized code execution on the server.

 

This issue impacts applications that run React code on the server, not browser-only React apps.

 

Reference: Official CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-55182

 

Attackers use this vulnerability to:

 

  • Execute arbitrary commands
  • Drop persistent malware
  • Install crypto-miners
  • Bypass container boundaries
  • Overwrite system binaries
  • Adds ssh key to authorized_key file (backdoor)

Versions Affected

React 19.0 and above (React Server Components packages)

Next.js

  • 15.x
  • 16.x
  • 14.3.0-canary.77 and later canary releases when using the App Router
  • Note: The vulnerability originates in React Server Components. Next.js is affected because it includes and enables this React functionality.

 

How do I know if I am affected or compromised?

 

You may be affected if your application uses Next.js with the App Router.

Your deployment includes React Server Components.

Your project depends on React 19.x and has not been updated with security patches.

You should investigate immediately if you observe unexpected server behavior or crashes.

 

Mode of operation of React2Shell:

 

Kills top, ps, htop, strace, kill, pkill.

Hijacks /bin/{top,ps} symlinks.

Abuses kernel threads, making ksoftirqd spike.

Kills processes named scan, monitor, watchdog.

1. Look for Unknown processes running on the server.

 

Look for suspicious .js, .mjs, .tsx, or .jsx files that are not uploaded by you or used by your applications and remove them. Since it kills traditional processes, install another task manager like atop via (dnf, yum, or apt). You should be able to see the suspicious process in the same.

 

2. Inspect suspicious binaries via stat

 

Example:

 

stat /bin/softirq

 

3. Suspicious outbound network connections. Unrecognized changes to application files or dependencies.

 

netstat –plan

 

4. Inspect the /root/.ssh/authorized_keys

 

Check for any SSH keys that you did not add or recognize, as these could be used by an attacker to gain unauthorized access. Remove any suspicious keys immediately.

 

5. Review system logs around time of infection Substitute the timestamp found from stat.

 

journalctl search command:

 

journalctl -o short-precise --since "2025-12-06" | grep -E "rondo|softirq|c3|miner|xmrig|818" (pid found via atop)

 

Dont's

 

  • Do NOT delete /bin/softirq while process is running — it will move to memory and mutate.
  • Do NOT rely on kill, pkill, or systemctl stop, mostly try to remove or rename suspicious binaries/files.
  • Do NOT reboot immediately — some malware installs boot-level persistence.
  • Do NOT trust top/ps/strace output.
  • Mitigation :

 

If your server is compromised

 

  • Upgrade to patched React / Next.js versions.
  • Restore from a known clean backup.
  • Change all passwords and secrets.
  • Run a full server security scan.

If no signs of compromise are found, upgrading to patched versions is still strongly recommended. Upgrade to the latest patched React / Next.js versions.

Back