React2Shell exploitation steals cloud and database secrets from Next.js
TL;DR — Attackers are mass-exploiting React2Shell in exposed Next.js services to harvest secrets (cloud credentials, database creds, SSH keys) automatically, turning unpatched web apps into credential mines.
What happened
Next.js is a widely used React-based web framework that many teams deploy as internet-facing application frontends and API backends. A new report describes a large-scale credential theft campaign exploiting React2Shell (CVE-2025-55182) to compromise vulnerable Next.js applications and then run automated collection of secrets from the host.
Per the report, 700+ internet-facing hosts were compromised, and the post-exploitation phase focuses on pulling cloud and database secrets and other sensitive material from local files and runtime environments, enabling follow-on access that outlives the initial RCE.
This is operationally significant because it’s not “just” RCE: it’s RCE + automated secrets harvesting, which often turns a single vulnerable service into broader cloud compromise (lateral movement via recovered IAM keys, database credentials, and SSH material).
Who is impacted
- Internet-exposed applications built with Next.js / React Server Components that remain vulnerable to CVE-2025-55182 (React2Shell).
- Environments where application hosts have access to high-value secrets via:
- environment variables (CI/CD-injected tokens, API keys)
- local config files
- cloud instance metadata / workload identity materials
| Item | Source value |
|---|---|
| Attack theme | Automated credential theft after initial compromise |
| Exploited vuln | CVE-2025-55182 (React2Shell) |
| Observed scale | 700+ compromised hosts (reported) |
| Likely blast radius | Cloud accounts, databases, downstream services reachable using stolen secrets |
What to do now
- Follow vendor remediation guidance for CVE-2025-55182 (React2Shell) and ensure all internet-facing Next.js/React Server Components deployments are running a patched build.
- Inventory and triage exposure:
- Identify internet-reachable Next.js services and confirm they are not vulnerable.
- Prioritize externally accessible workloads and multi-tenant hosts first.
- Assume secrets exposure if exploitation is suspected:
- Rotate cloud access keys, database credentials, and any application tokens available to the compromised runtime.
- Review IAM for anomalous activity consistent with key theft and reuse.
- Add detection for post-exploitation collection behavior:
- Monitor for unexpected reads of config/secrets paths and unusual outbound connections from app hosts.
- Review web logs for exploitation attempts and suspicious request patterns targeting React Server Components/Next.js endpoints.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.