Mitigating CVE-2025-55182 (React2Shell) with Microsoft Defender for Endpoint and Azure WAF

Microsoft Defender Security Research Team delivers expert analysis of the React2Shell vulnerability (CVE-2025-55182) in React Server Components, providing mitigation strategies and Defender integration guidance for securing enterprise systems.

Mitigating CVE-2025-55182 (React2Shell) in Enterprise Environments

Author: Microsoft Defender Security Research Team

Overview

CVE-2025-55182, also known as React2Shell, is a critical pre-authentication remote code execution (RCE) vulnerability found in React Server Components, impacting Next.js and related frameworks. Attackers can exploit it with a single HTTP request due to missing input validation, leading to prototype pollution and arbitrary code execution.

• Severity: CVSS 10.0, reliable public exploits available
• Affected platforms: Node.js, containers (Windows, Linux), cloud workloads

Attack Activity and Impact

Threat actors have leveraged this flaw in real-world campaigns:

• Initial exploitation began December 2025
• Coin miners, remote access trojans, and credential theft identified
• Post-exploitation tactics include adding users, leveraging RMM tools, and using bind mounts to evade detection
• Credentials targeted: Azure IMDS endpoints, AWS, GCP, Kubernetes service accounts, OpenAI API keys
• Attackers used Azure CLI and Azure Developer CLI for further lateral movement

Exploitation Methodology

1. Attacker sends a crafted HTTP request to a vulnerable server
2. Server deserializes malicious payload under the NodeJS runtime
3. Malicious code is executed, enabling reverse shells and persistence mechanisms

Mitigation and Protection Steps

Manual Exposure Identification

• Check application dependencies for react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack, next
• Validate if installed versions are affected (see next section)

Patch Guidance

Update affected packages immediately:

• React: 19.0.1, 19.1.2, 19.2.1 or newer
• Next.js: 5.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 or newer
• Ensure framework-level updates cascade to downstream dependencies

Defender and Azure WAF Recommendations

• Use Microsoft Defender Vulnerability Management (MDVM) to inventory and track remediation of vulnerable assets
• Monitor Defender dashboards and alerts for exploitation attempts
• Invoke incident response processes for suspicious activity
• Deploy Azure Web Application Firewall (WAF) custom rules to block exploit patterns during patch windows
• Use MDVM to validate coverage and confirm risk reduction post-update

Detection and Threat Hunting

Microsoft Defender XDR Detections:

• Possible exploitation of React Server Components detected by Defender for Endpoint and Defender for Cloud
• Alerts: suspicious process launches, reverse shells, crypto miner activity, unauthorized code execution, credential theft, hands-on-keyboard lateral movement

Sample Defender detection queries:

• Detect React2Shell command injection attempts
• Find suspicious PowerShell or Node.js command invocations
• Identify reverse shell usage via cmd.exe or PowerShell

Microsoft Sentinel Analytics:

• TI Mapping rules for matching domain and IP indicators of compromise
• Query for presence of known payload hashes, C2 domains, and suspicious URLs

Defender for Cloud Templates:

• Surface internet-exposed containers or virtual machines running vulnerable images
• Use gallery templates to find assets needing urgent remediation

Indicators of Compromise

• SHA-256 hashes: Coin miner and backdoor payloads
• Malicious URLs: Payload delivery endpoints
• IP addresses/domains: Command and control infrastructure
• See full IoC tables in the above threat report

Security Copilot Integration

Security Copilot in Microsoft Defender can be used to:

• Automate incident investigation and threat analysis
• Run promptbooks for user analysis, threat actor profiling, vulnerability impact
• Integrate with Defender XDR and Sentinel for deeper context

References and Additional Resources

• Critical Security Vulnerability in React Server Components – React
• NVD – CVE-2025-55182
• Defending against React2Shell with Azure WAF

Conclusion

CVE-2025-55182 poses a significant threat to organizations running React Server Components. Swift patching, thorough vulnerability management, and layered monitoring with Defender and Azure WAF are critical for risk reduction. Defender XDR, Defender for Cloud, MDVM, Sentinel, and Security Copilot provide integrated tools for detection, response, and mitigation.

This post appeared first on “Microsoft Security Blog”. Read the entire article here