Cisco Talos has published findings on a large-scale automated credential harvesting campaign actively exploiting CVE-2025-55182 — the maximum-severity CVSS 10.0 React2Shell vulnerability in React Server Components and Next.js — to systematically breach web application hosts and steal credentials at scale. The threat actor, tracked as UAT-10608, has compromised at least 766 hosts across multiple geographic regions and cloud providers using an automated exploitation and collection framework called NEXUS Listener. The stolen data includes database credentials, SSH private keys, AWS secrets, shell command history, Stripe API keys, and GitHub tokens — all exfiltrated to a command-and-control server and displayed through a polished web GUI that gives the attacker statistical insights into their harvested credentials and compromised host count. This is a critical cybersecurity incident for any organisation running Next.js or React Server Components on public-facing infrastructure that has not patched since December 2025.
Affected products
- ·react-server package versions 19.0, 19.1.0, 19.1.1, 19.2.0
- ·Next.js — all versions using affected React Server Components
- ·React Router, Waku, RedwoodSDK, Parcel, and Vite RSC plugins
- ·Any framework bundling the react-server implementation
How to Fix
Step-by-step remediation
The patch for CVE-2025-55182 has been available since December 2025 — organisations still running unpatched versions in April 2026 are confirmed attack targets. Upgrade your React and Next.js dependencies immediately by running npm update react react-dom and following the specific version guidance in the official Next.js security advisory. Run npm audit to confirm all vulnerable packages have been addressed. After patching, conduct an immediate investigation for compromise indicators — search for processes running from /tmp/ with randomised dot-prefixed names, review outbound network connections from your application containers for connections to unexpected external hosts, and inspect your application's rendered HTML for server-side secrets appearing in __NEXT_DATA__. If you find any compromise indicator, assume all credentials on the server are stolen and rotate them immediately — database passwords, SSH keys, AWS credentials, GitHub tokens, Stripe keys, and any other secrets in environment variables. Block the known UAT-10608 C2 IP addresses at your perimeter firewall. Implement WAF rules for React Server Component endpoint protection using the available Snort rule and vendor-specific signatures.
What happened
CVE-2025-55182, broadly referred to as React2Shell, is a pre-authentication remote code execution vulnerability in React Server Components with a CVSS score of 10.0 — the maximum possible. The root cause is insecure deserialization in the RSC Flight protocol. React Server Components expose Server Function endpoints that accept serialised data from clients. The affected code deserialises payloads from inbound HTTP requests without adequate validation or sanitisation. An attacker identifies a publicly accessible application using a vulnerable version of React Server Components or a framework built on top of it — most commonly Next.js — and crafts a malicious serialised payload designed to abuse the deserialisation routine. The payload is sent via a single HTTP POST request to a Server Function endpoint. Because the server processes this payload under an implicit trust model designed for legitimate RSC communication, the attacker-controlled data influences server-side execution logic — resulting in arbitrary privileged JavaScript code execution under the Node.js runtime. No authentication is required. No user interaction is required. Attack complexity is low. Testing by security researchers indicates the exploit has near-100% reliability against default configurations. This is the definition of a maximum-severity information security threat.
Technical Details
🛡️ Prevention Tips
CVE-2025-55182 has been publicly known since December 3, 2025. Every organisation running Next.js on public-facing infrastructure has had four months to patch. The 766 hosts confirmed compromised by UAT-10608 — and the much larger number compromised by all threat actors combined — represent organisations that did not patch a maximum-severity, actively exploited, unauthenticated RCE in one of the most widely used web frameworks in the world. The computer security lesson is unambiguous: CVSS 10.0 vulnerabilities with confirmed public exploits must be treated as emergency patches applied within 24 to 48 hours of disclosure, not scheduled into the next sprint cycle. For organisations using modern JavaScript frameworks, dependency update cadence must be treated as a security control, not a development convenience. Automated dependency update tools like Dependabot and Renovate Bot should be configured to automatically open pull requests for critical security updates and those PRs should have a mandatory fast-track review process. Internet security hygiene also demands egress filtering on application containers — even if an attacker achieves RCE, outbound egress blocks prevent credential exfiltration to the C2 server.
FAQs
How do I know if my Next.js application is vulnerable?
Check your package.json and package-lock.json for the react-server package version. If you are running versions 19.0, 19.1.0, 19.1.1, or 19.2.0 of react-server and have not applied the security patches from December 2025, your application is vulnerable. Run npm list react-server to check your installed version. Also run npm audit which will flag the vulnerability if you are on an affected version.
My Next.js app is not publicly accessible — am I still at risk?
If your application is only accessible on an internal network and not reachable from the internet, your exposure is significantly reduced but not zero — lateral movement from a compromised internal host could still reach your application. If your application is publicly accessible, patch immediately.
The vulnerability was disclosed in December 2025 — why are hosts still being compromised in April 2026?
Patch adoption for third-party dependencies in JavaScript ecosystems is historically slow. Many production applications run on fixed dependency versions that are updated infrequently. CI/CD pipelines may be configured to use locked versions. Development teams may have deprioritised the update if they were unaware of active exploitation. UAT-10608's automated scanning finds these unpatched deployments and compromises them within hours.
Read Next
android · sideloading
Google's 24-Hour Android Sideloading Wait: What It Means for You and Why It Exists
cohere ai · terrarium
CVE-2026-5752: Cohere AI Terrarium Sandbox Flaw Allows Root Code Execution and Container Escape — No Patch Coming
microsoft · patch tuesday
Microsoft April 2026 Patch Tuesday: SharePoint Zero-Day CVE-2026-32201 Actively Exploited + CVSS 9.8 Windows IKE RCE Among 169 Fixes
openai · supply chain attack
OpenAI Revokes macOS App Certificate After North Korea's Axios Supply Chain Attack — Update ChatGPT Before May 8
weekly roundup · cybersecurity
This Week in Cybersecurity — April 11, 2026: npm Backdoors, Adobe Zero-Day, Docker Escape & More
Last updated: April 3, 2026