Mass Exploitation of React2Shell Underway
Security researchers have confirmed that threat actors are actively exploiting React2Shell (CVE-2025-55182), a critical vulnerability in Next.js web applications, in a large-scale automated campaign designed to harvest credentials from vulnerable servers. The campaign, which has already breached over 766 Next.js hosts, uses tooling that automates discovery, exploitation, and data exfiltration — requiring minimal manual operator involvement once launched.
The campaign represents a significant escalation from the earlier wave of targeted exploitation reported in early April 2026, where attackers were primarily probing exposed instances. The shift to automation dramatically increases both the speed and scope of potential victim impact.
What Is React2Shell (CVE-2025-55182)?
CVE-2025-55182 is a vulnerability in the Next.js framework that allows attackers to exploit a flaw in how the application handles certain server-side requests. When exploited, the vulnerability provides an attacker with the ability to interact with internal application components in unintended ways — a capability researchers have dubbed "React2Shell" due to its mechanism of pivoting from the React server rendering layer to achieve remote command execution.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-55182 |
| Nickname | React2Shell |
| Framework | Next.js |
| Attack Type | Server-Side Request Manipulation / RCE |
| Authentication | None required |
| Exploitation | Active — automated campaigns confirmed |
Campaign Mechanics
The automated campaign observed by researchers follows a multi-stage pattern:
Stage 1 — Discovery
Attackers use internet-wide scanning tools to identify publicly exposed Next.js applications. Scanners check for version fingerprints and configuration indicators that identify vulnerable deployments. Researchers estimate hundreds of thousands of Next.js applications remain internet-exposed.
Stage 2 — Exploitation
Once a vulnerable target is identified, the attack tooling automatically sends crafted requests exploiting CVE-2025-55182. The exploit does not require authentication and can be executed in seconds per target.
Stage 3 — Credential Extraction
Post-exploitation, the automated tooling locates and exfiltrates:
- Environment variables — including database connection strings, API keys, and OAuth secrets stored in
.envfiles - Session tokens and JWTs — harvested from application memory or storage
- Authentication credentials — from database connections and internal service accounts
- Cloud provider credentials — AWS, Azure, and GCP keys embedded in application configurations
Stage 4 — Exfiltration
Stolen credentials are forwarded to attacker-controlled infrastructure in near-real-time. The automation enables operators to process large volumes of stolen data with minimal effort.
Scale and Impact
| Metric | Detail |
|---|---|
| Confirmed breached hosts | 766+ |
| Estimated exposed instances | Hundreds of thousands |
| Campaign automation | Fully automated exploitation and exfiltration |
| Time-to-exploit per host | Seconds |
| Data stolen | Credentials, env vars, API keys, session tokens |
The credential haul from 766+ hosts represents a significant tranche of secrets that could be used in downstream attacks — including access to cloud infrastructure, databases, third-party SaaS platforms, and payment processing APIs integrated with the affected Next.js applications.
Why Next.js Applications Are High-Value Targets
Next.js is one of the most widely deployed JavaScript frameworks for production web applications, used across e-commerce, SaaS platforms, healthcare portals, fintech services, and government-adjacent projects. Applications built with Next.js frequently:
- Store sensitive credentials and API keys in server-side environment variables
- Integrate with cloud services, databases, and payment gateways
- Handle authentication tokens and session data
- Process personally identifiable information (PII)
A single compromised .env file from a Next.js production deployment can yield access to dozens of downstream systems.
Remediation
Immediate Steps
- Identify your Next.js version — check
package.jsonfor"next"version - Apply the patched version — upgrade to a Next.js release that addresses CVE-2025-55182 (consult the official Next.js changelog for the fixed version)
- Rotate all secrets — treat all credentials, API keys, and tokens in any environment file as compromised if you were running a vulnerable version
- Audit access logs — review server logs for unusual request patterns consistent with automated exploitation
- Revoke and reissue OAuth tokens — for any OAuth credentials that may have been exposed
Defensive Hardening
- Never store long-lived credentials in environment files that are accessible from server processes — use secrets management services (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault)
- Implement rate limiting and anomaly detection on server-side API routes
- Restrict egress traffic from application servers to prevent unauthorized data exfiltration
- Deploy a WAF with rules targeting Next.js exploitation patterns
Key Takeaways
- Automated campaign active now — 766+ hosts already breached; unpatched applications face near-certain compromise
- Credentials are the primary target — expect downstream attacks using stolen secrets against cloud, database, and API systems
- Patch and rotate secrets immediately — patching alone is insufficient if secrets were already exposed during the vulnerability window
- Next.js adoption = high attacker ROI — the framework's ubiquity makes it an efficient mass-exploitation target