CVE-2025-55182: Next.js React2Shell Exploited to Steal Cloud Secrets

A high-scale credential harvesting operation has surfaced, targeting organizations utilizing the Next.js framework. According to The Hacker News, a threat cluster identified by Cisco Talos is actively exploiting a CVE identified as CVE-2025-55182, colloquially known as React2Shell. This campaign has successfully breached at least 766 Next.js hosts, focusing primarily on the exfiltration of sensitive secrets and administrative access keys.

Technical Analysis of React2Shell

The React2Shell vulnerability represents a significant RCE risk within the Next.js ecosystem. The flaw resides in how the framework handles specific server-side rendering (SSR) processes, allowing an attacker to execute arbitrary commands on the underlying host. Once initial access is gained, the TTP observed involve the immediate deployment of scripts designed to scan for and extract environment variables and configuration files.

Security researchers have noted that the attackers specifically target .env files, which often contain plaintext credentials for production databases and third-party services. By leveraging this vulnerability, the threat cluster can bypass traditional perimeter security measures to gain a foothold in cloud-native environments. This is not a localized threat but a broad-spectrum campaign aimed at any publicly accessible Next.js instance that has not been patched against this specific Zero-Day exploit.

Credential Harvesting and Post-Exploitation

The scale of the theft is extensive. Evidence gathered from compromised hosts indicates the systematic removal of:

• Amazon Web Services (AWS) access keys and secrets
• SSH private keys from user directories
• Stripe API keys and GitHub personal access tokens
• Database connection strings and administrative credentials
• Shell command history files (.bash_history, .zsh_history)

This data allows the attackers to achieve Lateral Movement across the victim’s infrastructure. By obtaining SSH keys and AWS secrets, the threat cluster can move from the web application layer to the core infrastructure, potentially leading to full account takeovers or the deployment of Ransomware. The MITRE ATT&CK framework would classify this behavior under Credential Access (T1003) and Unsecured Credentials (T1552).

React2Shell Next.js Vulnerability Mitigation and Impact

For organizations running affected versions, immediate remediation is required. The first step is to apply the security patches provided by the Next.js maintainers to close the RCE vector. However, patching the vulnerability does not negate the risk of previously stolen credentials. If a host was compromised prior to patching, the IoC may include unusual outbound traffic to unknown C2 servers or the presence of unauthorized cron jobs.

Security teams should focus on how to detect CVE-2025-55182 exploit activity by auditing server logs for unusual POST requests targeting SSR endpoints. Furthermore, a complete rotation of all secrets stored on the affected hosts is mandatory. This includes resetting database passwords, regenerating AWS IAM keys, and revoking any GitHub tokens or Stripe keys that were accessible to the application environment. Monitoring for unauthorized API calls within cloud provider consoles can also help identify if stolen credentials are being actively utilized by the threat cluster.