# Hackers Launch Automated Credential Theft Campaign Exploiting React2Shell Vulnerability in Next.js Applications


A large-scale credential theft campaign is actively targeting vulnerable Next.js applications through exploitation of React2Shell (CVE-2025-55182), a critical vulnerability that allows unauthenticated attackers to execute arbitrary code and harvest user credentials at scale. Security researchers have identified dozens of affected applications across e-commerce, SaaS, and financial services sectors, with evidence suggesting the campaign has been operating for weeks with minimal detection.


## The Threat


Threat actors are leveraging automated scanning and exploitation tooling to identify and compromise Next.js applications vulnerable to CVE-2025-55182. Once successfully exploited, attackers inject credential-stealing payloads that harvest login credentials, API tokens, session cookies, and authentication tokens from legitimate users visiting the compromised applications.


Key details of the campaign:


  • Attack vector: Unauthenticated remote code execution via React2Shell vulnerability
  • Payload: JavaScript credential harvesters injected into application pages
  • Scale: Hundreds of attempts daily across vulnerable instances identified by automated scanners
  • Detection: Most attacks remained undetected for 7-30 days before discovery by security monitoring services
  • Stolen data: Login credentials, OAuth tokens, API keys, session identifiers, and multi-factor authentication codes

    • Security teams monitoring threat intelligence feeds have observed command-and-control (C2) infrastructure actively collecting stolen credentials, with some indicating the credentials are being sold on underground markets or used for follow-on intrusions.


    ## Background and Context


    React2Shell, a utility library designed to facilitate React component rendering in server-side environments, contains a critical deserialization vulnerability in how it processes untrusted input. The vulnerability exists in versions prior to 2.8.4 and allows attackers to execute arbitrary code through specially crafted requests.


    Vulnerability overview:


    | Aspect | Detail |

    |--------|--------|

    | CVE ID | CVE-2025-55182 |

    | CVSS Score | 9.8 (Critical) |

    | Attack Complexity | Low — no authentication required |

    | User Interaction | None |

    | Affected Versions | React2Shell < 2.8.4 |

    | Affected Frameworks | Next.js 12.x, 13.x, 14.x (when using React2Shell) |

    | Patch Available | Yes — version 2.8.4+ |


    The vulnerability was initially disclosed in restricted security channels approximately three weeks ago, but public exploitation began shortly after proof-of-concept code appeared on GitHub. Unlike many zero-days that remain undisclosed during patch windows, this vulnerability reached exploitation maturity within days, creating a narrow window for defenders to identify and patch vulnerable instances.


    ## Technical Details


    The React2Shell vulnerability stems from unsafe deserialization of user-supplied input in the component rendering pipeline. When a Next.js application uses React2Shell to render dynamic components, the library accepts serialized component data that is deserialized without proper validation.


    Attack mechanism:


    1. Attacker identifies a vulnerable Next.js application using automated scanning tools that probe for characteristic React2Shell error messages and response patterns

    2. Attacker crafts a malicious serialized payload containing arbitrary JavaScript code

    3. Payload is submitted to a vulnerable endpoint (typically /api/render, /api/components, or similar)

    4. React2Shell deserializes the payload without sanitization, executing embedded code in the Node.js server process

    5. Attacker gains server-side code execution with the privileges of the Node.js application

    6. Attacker injects client-side credential harvesting code into HTML responses served to legitimate users

    7. Harvested credentials are exfiltrated to attacker-controlled infrastructure


    Example vulnerable code pattern:


    // Dangerous pattern found in affected applications
const component = deserializeComponent(req.body.componentData);
const rendered = renderComponent(component);
res.send(rendered);

    The credential harvesting payloads are sophisticated — they mimic legitimate form submissions, capture keystrokes, and harvest tokens from browser storage without triggering security warnings. Some variants also install persistent backdoors to maintain access after the initial compromise.


    ## Implications for Organizations


    The scale and sophistication of this campaign signals a mature threat actor with resources to rapidly identify vulnerable applications and deploy automation. Organizations running vulnerable Next.js applications face several critical risks:


    Immediate risks:


  • Credential compromise: Stolen credentials provide direct access to user accounts and downstream systems
  • Lateral movement: Stolen API keys and internal tokens enable attackers to compromise connected services
  • Data exfiltration: Compromised credentials provide stepping stones to sensitive databases and file storage
  • Compliance violations: Credential theft in regulated industries (finance, healthcare) triggers mandatory breach notification requirements
  • Reputational damage: User trust erodes when credentials harvested from a legitimate site are subsequently misused

    • Secondary impact:


    Organizations that unknowingly served compromised applications for extended periods face forensic challenges — determining exactly how many users were affected, what data was exposed, and when compromise occurred becomes significantly harder after weeks of undetected exploitation.


    ## Recommendations


    Organizations should immediately take the following actions:


    Urgent (within 24 hours):


  • Inventory vulnerable applications: Identify all Next.js applications in your environment and determine which use React2Shell
  • Upgrade React2Shell: Update to version 2.8.4 or later across all affected applications
  • Deploy patches: Rebuild and redeploy applications with patched dependencies
  • Monitor for indicators: Enable logging to detect any /api/render or component serialization requests with suspicious patterns

    • Short-term (within 1 week):


  • Credential rotation: Force password resets for users of affected applications; rotate API keys, tokens, and secrets
  • Access logs review: Examine server logs during the vulnerability exposure window for evidence of exploitation attempts
  • Web Application Firewall (WAF) rules: Deploy rules blocking malicious React2Shell deserialization payloads
  • User notification: Inform affected users that their credentials may have been compromised and outline remediation steps

    • Long-term:


  • Code review: Audit code that uses deserialization, ensuring all user input is validated before processing
  • Security testing: Implement automated dependency scanning to catch future vulnerable library versions pre-deployment
  • Zero-trust architecture: Implement credential isolation so compromised tokens provide limited lateral access
  • Monitoring: Deploy behavioral analytics to detect unusual token usage patterns indicative of credential misuse

    • Organizations without security teams should engage external incident response firms to help assess exposure and coordinate remediation efforts. The active exploitation makes delay particularly dangerous — every hour increases the likelihood of undetected compromise.