Critical React2Shell Exploit (CVE-2025-55182) Drives Large-Scale Attack Campaign
A newly disclosed critical vulnerability, React2Shell (CVE-2025-55182), enables pre-authentication remote code execution (RCE) in React Server Components, affecting multiple versions within the React 19 ecosystem. The flaw stems from improper parsing of server-side component payloads, allowing attackers to exploit it via crafted network requests.
The WXA Internet Abuse Signal Collective (WXA IASC) has launched To Cache A Predator, a threat research series tracking attacker infrastructure and tactics tied to the exploit. Initial findings reveal rapid weaponization following the vulnerability’s public disclosure in early December 2025, with persistent scanning targeting Next.js paths, particularly /_next/server and /_next/static/*.
Early Exploitation & Attack Infrastructure
WXA IASC’s Niihama honeypots detected exploitation attempts within 20 hours of disclosure, capturing exploit mechanics and attacker behavior. Scanning activity persisted through early February 2026, with two Netherlands-hosted IPs 193.142.147[.]209 and 87.121.84[.]24 accounting for 56% of observed React2Shell traffic between January 26 and February 2, 2026. GreyNoise data corroborated this, recording 1.4 million exploitation attempts during that period, with the two IPs responsible for 799,826 sessions (56%).
The ILOVEPOOP Toolkit
WXA IASC attributes much of the high-fidelity exploitation to a novel toolkit dubbed "ILOVEPOOP", operated by a single threat actor across nine scanner nodes. The toolkit is identifiable by distinct headers:
Next-Action: xX-Nextjs-Request-Id: poop1234X-Nextjs-Html-Request-Id: ilovepoop_*- A repeatable six-path Next.js sweep and a shared User-Agent rotation.
Niihama also observed follow-on attacks (SMB, RDP, SSH, HTTP, and credential abuse) from IPs linked to the same infrastructure, suggesting reconnaissance rather than confirmed breaches.
Defensive Measures
Organizations are advised to patch affected React/Next.js deployments and monitor logs for suspicious patterns, including Server Actions–like POST requests and the ILOVEPOOP canary headers. Defenders should prioritize exposure reduction and least-privilege access for internet-facing systems.
Source: https://gbhackers.com/react2shell-vulnerability-exploited/
React TPRM report: https://www.rankiteo.com/company/react
Next.js TPRM report: https://www.rankiteo.com/company/nextjs
"id": "nexrea1770731681",
"linkid": "nextjs, react",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Organizations using React 19/Next.js'}],
'attack_vector': 'Crafted network requests exploiting improper parsing of '
'server-side component payloads',
'date_detected': '2026-01-26',
'date_publicly_disclosed': '2025-12-01',
'description': 'A newly disclosed critical vulnerability, React2Shell '
'(CVE-2025-55182), enables pre-authentication remote code '
'execution (RCE) in React Server Components, affecting '
'multiple versions within the React 19 ecosystem. The flaw '
'stems from improper parsing of server-side component '
'payloads, allowing attackers to exploit it via crafted '
'network requests. The WXA Internet Abuse Signal Collective '
'(WXA IASC) has launched *To Cache A Predator*, a threat '
'research series tracking attacker infrastructure and tactics '
'tied to the exploit. Initial findings reveal rapid '
'weaponization following the vulnerability’s public disclosure '
'in early December 2025, with persistent scanning targeting '
'Next.js paths, particularly `/_next/server` and '
'`/_next/static/*`.',
'impact': {'systems_affected': 'React 19 ecosystem, Next.js deployments'},
'initial_access_broker': {'entry_point': 'React2Shell (CVE-2025-55182) via '
'Next.js paths (`/_next/server`, '
'`/_next/static/*`)',
'reconnaissance_period': '2025-12-01 to 2026-02-02'},
'investigation_status': 'Ongoing',
'motivation': 'Reconnaissance, potential follow-on attacks (SMB, RDP, SSH, '
'HTTP, credential abuse)',
'post_incident_analysis': {'corrective_actions': 'Patch management, exposure '
'reduction, least-privilege '
'access enforcement',
'root_causes': 'Improper parsing of server-side '
'component payloads in React Server '
'Components'},
'recommendations': 'Patch affected React/Next.js deployments, monitor logs '
'for suspicious patterns (e.g., Server Actions–like POST '
'requests, ILOVEPOOP canary headers), reduce exposure, and '
'enforce least-privilege access for internet-facing '
'systems.',
'references': [{'source': 'WXA Internet Abuse Signal Collective (WXA IASC)'},
{'source': 'GreyNoise'}],
'response': {'containment_measures': 'Patch affected React/Next.js '
'deployments, monitor logs for '
'suspicious patterns',
'enhanced_monitoring': 'Monitor for Server Actions–like POST '
'requests and ILOVEPOOP canary headers',
'remediation_measures': 'Exposure reduction, least-privilege '
'access for internet-facing systems',
'third_party_assistance': 'WXA Internet Abuse Signal Collective '
'(WXA IASC)'},
'threat_actor': 'ILOVEPOOP Toolkit Operator',
'title': 'Critical React2Shell Exploit (CVE-2025-55182) Drives Large-Scale '
'Attack Campaign',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'React2Shell (CVE-2025-55182)'}