React2Shell (CVE-2025-55182): Credential Harvesting Hits Next.js Hard
Just saw the Talos report regarding the mass exploitation of CVE-2025-55182 (dubbed React2Shell). It is genuinely alarming to see 766 Next.js hosts compromised in such a short timeframe. We aren't just looking at web defacements here; this is a full-blown credential harvesting operation.
The attackers are leveraging the RCE vulnerability to scrape environment variables and configuration files. Specifically, they are targeting:
- Database credentials
- SSH private keys
- AWS secrets and Stripe API keys
- Shell command history
If you are running Next.js in production, you need to assume your environment variables are exposed. I've put together a quick IOC scan for our access logs to identify potential exploitation attempts based on the payload structure observed in the wild. This checks for the specific serialized object injection attempts often preceding the shell deployment.
# Scan Nginx/Apache logs for suspicious serialization payloads
grep -Ei "\x24\x24type|react2shell" /var/log/nginx/access.log | awk '{print $1}' | sort -u
Beyond patching, immediate credential rotation is critical. Has anyone else seen evidence of persistence mechanisms being established beyond just the initial script execution? I'm curious if they are setting up cron jobs or systemd services to maintain access after the initial harvest.
We detected similar activity on three of our staging environments last week. The attackers weren't just dumping .env files; they were actively parsing .bash_history to find references to other infrastructure.
I recommend checking your build logs too. If you're building your Next.js app in CI/CD and the artifact is compromised, you might be redeploying the malware. We added a simple Sigma rule to trigger on any child processes spawned by the node runtime that aren't part of the known build chain.
The rotation of AWS keys is the painful part here. We found that the malware specifically looks for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
If you use AWS Secrets Manager or Parameter Store, ensure your Next.js app is only pulling these at runtime and that the IAM role has strict deny policies on iam:CreateAccessKey. We managed to stop the exfiltration by enforcing an SCP (Service Control Policy) that blocks any new key creation from the compromised IP ranges.
From a pentester's perspective, this vulnerability is nasty because it bypasses many standard WAF signatures if the request body is properly encoded as JSON.
I wrote a quick Python script to verify if our instances are vulnerable by sending a safe test payload. If you can't patch immediately, input validation on the API routes handling the serialized objects is your best stopgap.
import requests
test_payload = {"constructor": {"name": "test"}}
response = requests.post("http://target:3000/api/route", =test_payload)
print(f"Status: {response.status_code}")
If the response time spikes or returns a 500 with a stack trace referencing deserialization, you're likely vulnerable.
Great points on the WAF bypass, Rachel. To catch the exfiltration phase, we've been tracking outbound network connections spawned by the node process group. Often, these RCE exploits kick off a shell to pipe stolen data directly to a C2.
Here is a quick KQL query to hunt for this behavior in Azure Sentinel:
DeviceProcessEvents
| where InitiatingProcessFileName =~ "node.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "curl", "wget")
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access