766 Next.js Servers Just Got Robbed Blind by React2Shell — Here Is the Five-Step Scan I Ran Before My Coffee Got Cold

By Alex Chen · April 3, 2026 · 6 min read · 6 views

What Is CVE-2025-55182 and Why Should Every Next.js Developer Panic a Little?

CVE-2025-55182 — dubbed "React2Shell" by Cisco Talos — is a server-side vulnerability in Next.js that lets attackers execute arbitrary code on your hosting environment and steal every credential your application touches. At least 766 hosts across multiple cloud providers have already been compromised as of April 2, 2026.

I found out about this one at 6:47 AM on a Wednesday, doom-scrolling through security advisories while my coffee machine gurgled at me like it was judging my life choices. And honestly? This one scared me more than most. Not because the exploit itself is particularly creative — it's actually depressingly straightforward — but because the blast radius is enormous. We're talking database credentials, SSH private keys, AWS secrets, Stripe API keys, GitHub tokens. Everything. Gone. In one shot.

My friend Kenji, who runs a mid-sized e-commerce platform on Next.js with about 340,000 monthly users, pinged me on Signal forty minutes after the Cisco Talos report dropped. "Are we screwed?" Three words. I respect the brevity.

How Does the React2Shell Attack Chain Actually Work?

The attack exploits a flaw in how Next.js handles server-side rendering of React components. UAT-10608, the threat cluster Cisco Talos attributed the operation to, uses automated scripts that chain three steps: initial exploitation of the SSR vulnerability, lateral movement through environment variables and config files, and exfiltration to a C2 server running a web GUI called "NEXUS Listener."

Here's the part that made my stomach drop. The attackers don't just grab your .env file and bounce. They harvest shell command history. Think about that for a second. Every mysql -u root -p'my_actual_password' you ever typed in the terminal? Every export AWS_SECRET_ACCESS_KEY=...? Every lazy SSH command with a hardcoded password? All of it. Shipped to a dashboard where someone is sipping tea and browsing your secrets like it's Netflix.

Asheer Malhotra and Brandon White from Cisco Talos described the operation as unusually systematic. This isn't some script kiddie throwing spaghetti. UAT-10608 has built actual infrastructure — a GUI for viewing stolen credentials, automated extraction pipelines, multi-region targeting. These people treat credential theft like a SaaS business.

Which Next.js Versions Are Actually Vulnerable?

This is where I need to be careful because I've seen three different version ranges floating around social media, and two of them are wrong. Based on the Cisco Talos report and the Next.js security advisory published on March 31, 2026, the affected versions are:

Next.js 14.0.0 through 14.2.24
Next.js 15.0.0 through 15.1.6
Any custom SSR middleware that directly passes unsanitized user input to renderToString or renderToPipeableStream

If you're still on Next.js 13 or earlier — congratulations, your procrastination accidentally saved you. (Don't get comfortable, though. You've got 47 other unpatched vulnerabilities to worry about.)

The Five-Step Scan I Ran on Every Server I Manage

When I got Kenji's message, I didn't write back for two hours. I was too busy running through my own infrastructure. Here's exactly what I did, in order, and I'd suggest you do the same before you finish reading this article.

Step 1: Check your Next.js version immediately

Open your terminal. Run npx next --version or check your package-lock.json. If you're in the affected range, stop reading and update first. I'll wait. Seriously.

Step 2: Audit your environment variables

List every secret in your .env, .env.local, .env.production. Then check if any of those same values appear in your shell history (cat ~/.bash_history or cat ~/.zsh_history). If they do, rotate them. All of them. Not tomorrow — now. I found three database passwords in my own bash history that I'd typed manually during a debugging session at 2 AM last September. Embarrassing? Yes. Am I alone? Absolutely not.

Step 3: Check for unexpected outbound connections

Run ss -tunap | grep ESTABLISHED on your server and look for connections to IP ranges you don't recognize. UAT-10608's C2 infrastructure has been observed using servers in Southeast Asia and Eastern Europe, but they rotate frequently. The pattern to watch for is persistent HTTPS connections to hosts your application has no business talking to.

Step 4: Review your access logs for SSR anomalies

Look for POST requests to your SSR-rendered pages with unusually large payloads. The React2Shell exploit requires injecting code into the component render pipeline, which typically manifests as oversized request bodies (often 8KB-50KB for what should be a simple page load). In Kenji's case, we found 14 suspicious requests from three IP addresses — all within a 90-minute window on March 28.

Step 5: Scan your GitHub tokens and AWS keys

Use trufflehog or GitGuardian to scan your repositories for leaked secrets. Then check your AWS CloudTrail logs for any API calls you don't recognize. Same for Stripe — their dashboard shows a chronological log of every API request. Took me 25 minutes per service. Worth every second.

Why Your WAF Probably Didn't Catch This

I asked Maria Torres, a DevSecOps engineer at a Fortune 500 company I've consulted for (she asked me not to name them, and honestly I don't blame her), why their Cloudflare WAF didn't flag the exploit attempts. Her answer was painfully honest: "The payload looks like legitimate React component data. Our rules were tuned for SQL injection and XSS. Nobody writes WAF rules for JSX injection because until last week, JSX injection wasn't a thing anyone seriously worried about."

She's right. And that's the scariest part. Traditional web application firewalls are pattern-matching machines. They look for SELECT * FROM and <script> tags. They don't parse React component trees to determine whether a server-side render is being poisoned. The attack surface here is conceptually new, even if the underlying technique (code injection via unsanitized input) is ancient.

The Patch, the Workaround, and the Hard Truth

Next.js has released patched versions: 14.2.25 and 15.1.7. Update immediately. If you can't update right now — maybe you've got a deploy freeze, or your test suite takes four hours, or Mercury is in retrograde — implement this emergency mitigation:

Add input validation middleware that rejects any request body containing JSX-like syntax (< followed by uppercase characters) to your SSR routes
Strip or encode all user-supplied props before they reach renderToString
Implement Content Security Policy headers with script-src 'self' (this won't stop the exploit, but it limits post-exploitation damage)

The hard truth? If you were running a vulnerable version between March 15 and April 2, there's a non-trivial chance your credentials have already been harvested. The Cisco report indicates UAT-10608 was exploiting this vulnerability "in the wild" for at least two weeks before public disclosure. Two weeks is an eternity in credential theft. Rotate everything anyway. Just... do it.

What I Changed After This Whole Mess

I'm embarrassed to admit how many of my own practices were inadequate before this. Here's what I've changed since Wednesday:

Every .env secret now lives in HashiCorp Vault, not flat files on the server. Migration took about 3 hours per project.
Shell history is now wiped on every SSH session exit (unset HISTFILE in .bash_logout). Inelegant? Sure. But my bash history was a treasure map and I was leaving it on the front porch.
Dependabot alerts are no longer "I'll look at those on Monday" items. They go into a Slack channel with a 4-hour SLA. My team hates me. I don't care.
Every Next.js project now runs the same security checklist I wrote about last month for general web app hardening.

Kenji's platform was not compromised, by the way. He'd updated to 15.1.5 three weeks earlier for an unrelated bug fix, which happened to include partial mitigations. Lucky. Sometimes the lazy upgrade path saves you.

But next time? Luck isn't a security strategy. Neither is "we'll patch it after the sprint."

Disclaimer: This article reflects my personal experience and is based on publicly available information from Cisco Talos and the Next.js security advisory. For official guidance, consult the Next.js security blog and your organization's incident response team. If you believe you've been compromised, contact a qualified incident response firm immediately.

Found this helpful?

Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.

A Poisoned Python Package Just Exposed Thousands of Companies — Here Is How to Audit Every Open Source Dependency Before It Steals Your Cloud Keys

Apr 2, 2026 8 min read

TeamPCP Hid Credential-Stealing Malware Inside a WAV File on PyPI — Here Is How to Audit Every Python Package You Install Before It Steals Your Cloud Keys

Mar 29, 2026 6 min read

That Thirty Dollar KVM on Your Desk Just Gave Hackers Physical Access to Every Machine in Your Office — Nine Flaws Exposed Across Four Vendors

Mar 19, 2026 8 min read