Automated credential harvesting via React2Shell exploitation in Next.js applications represents shift toward industrialised supply-chain attacks
Threat actors are conducting large-scale automated attacks exploiting CVE-2025-55182 (React2Shell) in vulnerable Next.js applications to harvest credentials at scale. This represents a shift from opportunistic patching cycles to industrialised credential theft targeting the JavaScript framework ecosystem.
CVE References
Affected
React2Shell (CVE-2025-55182) allows remote code execution in vulnerable Next.js applications, but the campaign's significance lies not in the vulnerability itself but in its weaponisation for industrialised credential harvesting. Threat actors have moved beyond one-off exploitation to automated scanning and compromise of exposed instances, suggesting either public-facing reconnaissance or access to vulnerable environment telemetry.
The technical attack flow likely involves: discovery of vulnerable Next.js instances via public-facing endpoints or application metadata, exploitation of React2Shell to achieve code execution, and deployment of credential-stealing payloads that extract environment variables, API keys, database credentials, and session tokens. The automation indicates this is not manual opportunistic activity but an organised operation with infrastructure for scanning, exploitation, and credential exfiltration.
Organisations running Next.js in production face immediate risk. Many JavaScript applications expose version information through HTTP headers or bundled metadata, enabling passive reconnaissance. The threat is amplified by the common practice of storing sensitive credentials in environment variables, which become trivial to extract post-exploitation. Supply chain risk extends downstream: compromised API keys and database credentials grant attackers access to backend systems, customer data, and third-party integrations.
Defenders should prioritise: immediate patching of Next.js installations (apply the security update for CVE-2025-55182), rotation of all secrets and credentials that may have been exposed on vulnerable systems, network segmentation to limit lateral movement from compromised applications, and audit logs for suspicious environment variable access or exfiltration attempts. Implementation of secrets management (HashiCorp Vault, AWS Secrets Manager) rather than environment variables reduces post-exploitation damage.
This campaign exemplifies a broader threat evolution. Framework vulnerabilities historically saw slow remediation because patches required dependency updates across the supply chain. Threat actors now assume a window of exploitability exists and automate reconnaissance accordingly. The shift from manual pentesting-style exploitation to credential harvesting pipelines suggests this attack vector will remain profitable for months despite disclosure.
Sources