The recent disclosure of CVE-2025-55182 and CVE-2025-66478, dubbed « React2Shell », has triggered a global race between defenders patching Next.js/React Server Components and threat actors weaponizing the flaw. While initial Proof-of-Concepts (PoCs) were simple scripts, a new generation of tooling has emerged. So i made React2You, a sophisticated Python-based scanner and exploitation suite, moving beyond simple verification to full interactive (kinda) shell with advanced evasion capabilities.
git repo: https://doesbadthings.online/doesbadthings/react-2-you
Technical Analysis: Beyond Simple Scanning
React2You builds upon the foundational research of Assetnote but introduces features designed specifically to bypass modern security controls. Unlike basic scanners that simply send a verification payload, React2You implements a « Stealth Mode » and « Interactive Shell » that turns the vulnerability into a persistent entry point.
1. WAF Bypass via « Junk Data » Padding
Most Web Application Firewalls (WAFs) operate with performance constraints, often inspecting only the first few kilobytes of a request body. React2You exploits this by implementing a generate_junk_data function.
By injecting 128KB (or more) of random alphanumeric characters into a dummy parameter before the actual malicious JSON payload, the tool pushes the exploit code outside the inspection window of many WAFs. This allows the critical "$1:__proto__:then" prototype pollution payload to slip through undetected.
2. Stealth Mode: UTF-16LE and JSON Obfuscation
The most distinct feature of React2You is its Stealth Mode (--stealth), designed to evade signature-based detection.
- Encoding Mismatch: The tool encodes specific parts of the multipart payload using UTF-16LE. Standard WAF rules usually look for ASCII or UTF-8 patterns (e.g.,
child_process). By changing the encoding to UTF-16LE, the byte sequence changes completely, rendering standard regex rules useless. - JSON Key Obfuscation: The tool uses escaped unicode sequences for JSON keys (e.g., replacing
"then"with"\\u0074hen"). The Next.js parser normalizes these strings upon receipt, executing the code, but network security appliances looking for the literal string"then"in the payload will fail to match.
3. Interactive RCE Shell
While the vulnerability technically allows for arbitrary code execution, chaining commands can be tedious. React2You includes a pseudo-shell that automates the request/response cycle. It injects commands into the child_process.execSync call and parses the specific X-Action-Redirect header or the response body to extract the command output, giving the attacker a seamless terminal-like experience on the victim machine.
Threat Intelligence: Usage in the Wild
The capabilities demonstrated in React2You mirror the tactics currently observed in active exploitation campaigns targeting CVE-2025-55182 and CVE-2025-66478.
- State-Sponsored Activity: Security researchers have observed Chinese-nexus threat actors (such as Jackpot Panda and actors associated with GobRAT) utilizing similar automated scanners. These groups adopted the vulnerability within days of disclosure, moving from scanning to deploying web shells and malware.
- Mass Scanning & Botnets: The « Mass Scanning » feature in tools like React2You allows attackers to feed lists of thousands of URLs (often derived from Shodan or Censys) to identify vulnerable targets rapidly.
- Opportunistic Exploitation: GreyNoise and other telemetry providers have noted a spike in traffic using « obfuscated » payloads similar to React2You’s stealth implementation. Attackers are increasingly using these evasion techniques to target high-value corporate environments that sit behind robust WAFs (like Cloudflare or AWS WAF), proving that default WAF rules are often insufficient against tailored payloads.
Target Acquisition: Automated Reconnaissance via Search Engines
For tools like React2You to be effective in its « Mass Scanning » mode (-l urls.txt), threat actors require a high-fidelity list of potential targets. Rather than scanning random IP ranges, they utilize specialized cyberspace search engines—such as Shodan, FOFA, Hunter.how, and Censys—to perform passive reconnaissance.
By using specific « dorks » (advanced search queries), attackers can instantly retrieve thousands of IP addresses and domains running vulnerable versions of Next.js.
Fingerprinting Next.js
React2You is specifically designed for Next.js environments. Attackers use search engines to identify applications that expose specific fingerprints, such as the X-Powered-By header or the ubiquitous /_next/ directory structure in the HTML body.
Common Reconnaissance Queries
Below are examples of the search queries (dorks) currently being used to generate target lists for this vulnerability:
- Shodan:Plaintext
http.html:"/_next/static" product:"Next.js" http.component:"Next.js"These queries look for the specific directory structure used by Next.js to serve static assets or the component tag identified by Shodan’s crawler. - FOFA (Popular in Asian Threat Landscapes):Plaintext
app="Next.js" header="X-Powered-By: Next.js" body="/_next/static"Given the involvement of groups like Jackpot Panda, FOFA is a primary source for generating target lists in that region. - Hunter.how:Plaintext
web.body="/_next/static" product.name="Next.js"
From Search to Shell
The workflow observed in the wild is highly automated:
- Extraction: Scripts query these search engine APIs to download lists of 10,000+ targets matching the Next.js fingerprint.
- Feeding React2You: This list is saved to a file (e.g.,
targets.txt) and fed directly into the tool:Bashpython react2you.py -l targets.txt -t 50 --stealth - Filtering: The tool’s multi-threaded scanner quickly separates generic Next.js sites from those specifically vulnerable to CVE-2025-55182 or CVE-2025-66478, allowing the attacker to focus their manual exploitation efforts (using the Interactive Shell) on confirmed vulnerable hosts.
Conclusion
The emergence of sophisticated tooling like React2You, coupled with the granular targeting data provided by search engines like Shodan and FOFA, signals a dangerous industrialization of the exploitation lifecycle. Threat actors no longer need to manually hunt for targets; they can simply pipe thousands of search results into an automated, stealth-enabled framework capable of bypassing traditional perimeter defenses.
For cybersecurity teams, React2You serves as a critical proof of concept: the window between vulnerability disclosure and mass automation has collapsed. Reliance on WAF rules—proven to be porous against React2You’s UTF-16LE encoding and « junk data » padding—is a failing strategy. In this high-velocity threat landscape, immediate patching of the underlying Next.js vulnerability remains the only definitive safeguard against this new wave of automated, obfuscated attacks.