← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
React2Shell (CVE-2025-55182): Dissecting a Node.js RCE Against a Production Next.js App
WHITE PetrP.73 2025-12-20 Modified: 2026-01-19
13
IOCs
MEDIUM VOLUME
The investigation into the cyberattack targeting a production Next.js application identified the exploitation of a critical vulnerability, CVE-2025-55182 (React2Shell), which allows for remote code execution (RCE). An analysis of over 12,000 log entries demonstrated that attackers successfully executed commands on the server. The initial exploitation initiated through a malformed HTTP POST request containing a malicious React Server Component (RSC) Flight payload, abusing a deserialization flaw. This vulnerability, disclosed in December 2025 and rated CVSS 10.0, quickly garnered attention due to widespread active exploitation.
cve202555182c2 serverreact2shellcommandhttpagainstiocsdecemberhttp clienthostmiraidownloadcopycobalt strikeexecutionapachechaosmetasploithunttargetattackopenclosepossibledropperpersistencemaliciousshellflightrsc flightnutsanivia
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Flight RSC Flight Nuts Anivia Cobalt Strike React2Shell Persistence Mirai
Indicators of Compromise (8 / 13 total)
All CIDR CVE URL domain email
TYPEINDICATORDESCRIPTIONCREATED
URL http://128.199.194.97:9001 2025-12-20
URL http://128.199.194.97:9001/setup2.sh 2025-12-20
URL http://128.199.194.97:9001/setup2.sh|sh 2025-12-20
URL http://176.117.107.154/bot 2025-12-20
URL http://193.34.213.150/nuts/ 2025-12-20
URL http://193.34.213.150/nuts/bolts 2025-12-20
URL http://193.34.213.150/nuts/x86 2025-12-20
URL http://78.153.140.16/re.sh|bash 2025-12-20
References (1)
↗ https://hunt.io/blog/react2shell-cve-2025-55182-nextjs-nodejs-rce