CVE-2025-55182

Cisco Talos has uncovered a large-scale credential harvesting campaign by threat actor UAT-10608 exploiting CVE-2025-55182 — the CVSS 10.0 React2Shell vulnerability in React Server Components and Next.js. 766 hosts compromised. Database credentials, SSH private keys, AWS secrets, GitHub tokens, and Stripe API keys stolen at scale using the NEXUS Listener framework.

Severity

critical

CVSS Score

10 / 10

Exploitation

Actively exploited

Published

Apr 3, 2026

Affected Products

›react-server package versions 19.0, 19.1.0, 19.1.1, 19.2.0
›Next.js — all versions using affected React Server Components
›React Router, Waku, RedwoodSDK, Parcel, and Vite RSC plugins
›Any framework bundling the react-server implementation

Full Analysis

CVE-2025-55182 React2Shell Actively Exploited: UAT-10608 Breaches 766 Next.js Hosts and Steals AWS Keys, SSH Keys, Stripe Tokens

Deep-dive: technical breakdown, real-world impact, complete remediation steps, and expert context.

Read the full report →

← All threat reports All articles