Researchers have found two new vulnerabilities in React Server Components while attempting to exploit the patches last week. These are new issues, separate from the critical CVE last week. The patch for React2Shell remains effective for the Remote Code Execution exploit.

🚨【緊急解説】React2Shell (CVE-2025-55182) 「Log4Shellの再来」とも警戒されるCVSS 10.0の脆弱性。 React/Next.jsを利用する全組織に影響 ⚠️ なぜ「デフォルト設定」で危険？ ⚠️ 「死角」に潜むサプライチェーンリスクとは？ メカニズムと対策を徹底解説しました👇 https://t.co/nfMavKD5iZ

React2Shell(CVE-2025-55182)について、動画で使った資料をアップロードしました！ https://t.co/9KqfZoRIYv でも動画だと動的解析の結果も見れるから動画見てほしいナ…👉👈 https://t.co/obo2mzYzGa

Two new RSC protocol vulnerabilities (one high, one medium) were uncovered while auditing the protocol following React2Shell. Please upgrade to the latest patched version in your release line. https://t.co/s0T8wAK7f7

Testing for React2Shell can be as easy as: 1. Running HTTPX to identify NextJS targets 2. Passing the list of targets to React2shell-scanner 3. Verify & report results 🤠 More in next post! 👇

#CVE-2025-55182 #React2Shell Let me walk you through the technical path of the WAF bypass. When a request is sent as multipart/form-data, Next.js hands the raw body stream to Busboy. The bypass comes from Busboy’s charset logic: it cleanly accepts UTF‑16LE (and legacy UCS‑2) and

Man this POC for React2Shell... 🤯

try this WAF bypass trick for rsc&&next.js CVE-2025-55182 All fields can use utf16le charset #React2Shell

[1] CVE-2025-66478 exploited in the wild. Following up on Tyler Hudak post on #React2Shell, I found a log file from a compromised Next.js app. Cryptominer runs 3-stage attack: kill competitors, deploy miner, persist with watchdog. https://t.co/jYJyOxAhmD

🚨 WARNING: Fake CVE-2025-55182 (React2Shell) scanner contains MALWARE https://t.co/Q65dFepsOl Hidden payload in code: → mshta.exe https://py-installer[.]cc Targets security researchers hunting this vuln. Always read source before running any "security tool"! #React2Shell

React2shell detection payload by @assetnote team (CVE-2025-55182 & CVE-2025-66478) #bugbounty #bugbountytips #cybersecurity

Yay, i got my first RCE! #BugBounty #InfoSec #React2Shell

The CRAZIEST exploit today affected over 500K computers. Someone got hacked through the React2Shell exploit. The attacker was running a crypto mining software on a production server. The funny thing is he was running it on two production server from the same company. If this

React Server Components React2Shell RCE (CVE-2025-55182) Use #Vulhub to reproduce it: https://t.co/cJ60pT2eTK

React2Shell as explained by Metaphor and Memes! #infosec #cybersec #bugbountytips

CVE-2025-55182 (React2Shell) pre-auth RCE FOFA, Shodan,Zoomeye filters : vul.cve="CVE-2025-55182" , asn="REDACTED" && (app="Next.js" || app="React.js") #infosec #cybersec #BugBounty #bugbountytips - Github: https://t.co/VccTRVwSfH

Just got rewarded [$$$$] for React2Shell (CVE-2025-55182 / 66478) #bugbountytips

🔴 Watch out, someone is "patching" (?) servers vulnerable to #React2Shell and leaving a warning message about CVE-2025-55182 in English, Chinese, Japanese, and Spanish. According to Censys, 314 servers had/have this condition at this very moment. The vast majority of domains

React2shell detection payload by @assetnote team (CVE-2025-55182 & CVE-2025-66478) #bugbounty #bugbountytips #infosec