766+ Next.js hosts breached in automated React2Shell credential theft campaign (CVE-2025-55182)

Cisco Talos uncovered a large-scale automated campaign by threat cluster UAT-10608 that exploits React2Shell - a CVSS 10.0 pre-auth RCE flaw in React Server Components used by Next.js. One crafted HTTP request is all it takes to get code execution, no credentials needed. The attackers scan with Shodan and Censys, breach Next.js apps, then deploy the NEXUS Listener framework to harvest database credentials, SSH keys, AWS tokens, Stripe API keys, Kubernetes secrets, and GitHub tokens at scale. At least 766 hosts across multiple cloud providers were compromised within 24 hours.

Check

Check if you run any Next.js applications using React Server Components, especially internet-facing deployments on AWS, GCP, or Azure.

Affected

React Server Components packages versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Any Next.js application using the App Router with these React versions is vulnerable.

Fix

Update React Server Components to a patched version immediately. Rotate all credentials on any server running a vulnerable Next.js deployment - database passwords, SSH keys, AWS keys, Stripe keys, GitHub tokens. Enforce AWS IMDSv2 to prevent cloud metadata credential theft. Enable secret scanning in your repos. Monitor for outbound connections to NEXUS Listener C2 infrastructure.