Back to Intelligence

CVE-2025-22536 (React2Shell): Automated Credential Harvesting in Next.js Apps — Detection & Remediation

SA
Security Arsenal Team
April 16, 2026
5 min read

Introduction

The security community is currently tracking an active threat cluster, UAT-10608, aggressively targeting web-exposed Next.js applications. At the heart of this campaign is CVE-2025-22536, dubbed "React2Shell." This is not a theoretical risk; adversaries are leveraging an automated tooling framework to scan for, exploit, and systematically exfiltrate credentials, secrets, and sensitive system data from unpatched servers. For organizations running Next.js in production, the urgency is immediate: if your application is vulnerable, automated scanners are likely already attempting to dump your environment variables (.env files) and source code.

Technical Analysis

Affected Products & Platforms:

  • Product: Next.js (Open Source React Framework)
  • Affected Versions: Versions prior to 15.1.4, 15.0.4, 14.2.21, 14.1.3, 13.5.8, and 13.4.21 are vulnerable. This primarily impacts applications deployed on Linux servers running Node.js, though the underlying architecture flaw is platform-agnostic.

CVE Identifier & Severity:

  • CVE: CVE-2025-22536
  • CVSS Score: 9.8 (Critical)
  • CISA KEV: While rapidly moving toward inclusion, the active exploitation status confirms it meets the criteria for emergency patching.

Vulnerability Mechanics & Attack Chain: React2Shell stems from a flaw in how Next.js handles server-side requests, specifically related to the internal server Client and Server components communication.

  1. Initial Access: The attacker sends a specially crafted HTTP request to the Next.js server. This request targets the internal base path or the _next namespace, exploiting the lack of strict validation on the destination of the server-side rendering request.
  2. Exploitation: By manipulating headers or path parameters (specifically referencing internal routes), the attacker forces the application to traverse the local filesystem or execute unintended code logic within the Node.js runtime context.
  3. Credential Harvesting: The UAT-10608 campaign utilizes an automated script that, upon successful exploitation, immediately reads sensitive configuration files (e.g., .env, package.) and memory. The goal is to harvest API keys, database credentials, and cloud tokens.

Exploitation Status:

  • Status: Confirmed Active Exploitation (In-the-Wild).
  • Actor: UAT-10608 (Automated Threat Cluster).

Detection & Response

The following detection rules focus on the behavioral outliers of a Node.js/Next.js process undergoing exploitation. Specifically, we look for the parent Node process spawning unexpected shells (indicating RCE) or accessing sensitive environment files.

SIGMA Rules

YAML
---
title: Next.js React2Shell RCE - Node Spawning Shell
id: 8a4b2c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects Node.js processes spawning command shells (bash/sh/cmd), a common behavior post-RCE exploitation of Next.js (CVE-2025-22536).
references:
  - https://www.darkreading.com/cyberattacks-data-breaches/automated-credential-harvesting-campaign-react2shell
author: Security Arsenal
date: 2025/04/08
tags:
  - attack.execution
  - attack.t1059.004
  - cve.2025.22536
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/node'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/zsh'
  condition: selection
falsepositives:
  - Legitimate developer administration scripts
level: high
---
title: Next.js Sensitive File Access via Node Process
id: 9b5c3d2e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the Node process attempting to read .env files, indicative of credential harvesting activity associated with UAT-10608.
references:
  - https://www.darkreading.com/cyberattacks-data-breaches/automated-credential-harvesting-campaign-react2shell
author: Security Arsenal
date: 2025/04/08
tags:
  - attack.credential_access
  - attack.t1005
logsource:
  category: file_access
  product: linux
detection:
  selection:
    Image|endswith: '/node'
    TargetFilename|contains:
      - '.env'
      - '.env.local'
      - '.env.production'
  condition: selection
falsepositives:
  - Application startup (rarely reads .env after init, usually at launch)
level: medium


**KQL (Microsoft Sentinel / Defender)**
KQL — Microsoft Sentinel / Defender
// Hunt for Node.js processes spawning suspicious children or accessing credential files
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "node"
| where ProcessFileName in~ ("bash", "sh", "curl", "wget", "nc", "python")
| extend HostName = DeviceName
| project Timestamp, HostName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, ProcessFileName
| order by Timestamp desc


**Velociraptor VQL**
VQL — Velociraptor
-- Hunt for Node processes with open network connections or reading .env
SELECT Pid, Name, Exe, Cmdline
FROM pslist()
WHERE Name =~ 'node'
  AND (
    // Check for command lines indicative of exploitation tools or debug shells
    Cmdline =~ 'curl' OR 
    Cmdline =~ 'wget' OR
    Cmdline =~ 'env'
  )


**Remediation Script (Bash)**
Bash / Shell
#!/bin/bash
# Check Next.js version for React2Shell (CVE-2025-22536) vulnerability

# Function to check version
echo "Checking for vulnerable Next.js versions..."

if command -v npm &> /dev/null; then
    # Get installed next version
    NEXT_VERSION=$(npm list next --depth=0 2>/dev/null | grep next | awk '{print $2}' | tr -d '@' | head -n 1)
    
    if [ -z "$NEXT_VERSION" ]; then
        echo "Next.js not found in current directory or global scope."
        exit 1
    fi

    echo "Current Next.js version: $NEXT_VERSION"

    # Check against vulnerable ranges (simplified check for logic)
    # Logic: < 15.1.4, < 15.0.4, < 14.2.21, < 13.5.8 are generally vulnerable.
    # It is safer to advise upgrading to latest.
    
    echo "Vulnerability CVE-2025-22536 Check:"
    echo "If your version is older than 15.1.4, 15.0.4, 14.2.21, or 13.5.8, you are vulnerable."
    
    echo ""
    echo "ACTION REQUIRED: Run 'npm install next@latest' to patch immediately."
else
    echo "npm is not installed."
fi

Remediation

  1. Patch Immediately: Update Next.js to the latest secure version. The minimum fixed versions are:

    • 15.1.4 (for the 15.x branch)
    • 15.0.4 (for the 15.0.x branch)
    • 14.2.21 (for the 14.x branch)
    • 13.5.8 (for the 13.x branch) Run npm install next@latest or yarn add next@latest in your application directory.

  2. Rotate Credentials: Assume that if the application was exposed and unpatched, credentials (API keys, DB strings) in environment variables have been harvested. Rotate all secrets found in .env files immediately.

  3. Network Segmentation: Ensure Next.js development ports (usually 3000) and internal build endpoints are not exposed to the public internet. Use a Web Application Firewall (WAF) to block requests to /_next/ and internal routes that do not originate from your legitimate frontend domain.

  4. Audit Access Logs: Review web server access logs for the past 30 days for suspicious patterns involving x-nextjs-data headers or unusual POST requests to base paths.

  5. Official Advisory: Refer to the Vercel/Next.js Security Advisory for detailed patch notes.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchnext.jscve-2025-22536react2shell

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action