Many app developers, including developers of media & entertainment apps used by millions of streaming video subcribers, use the React software development environment.
A critical pre-authentication remote code execution (RCE) vulnerability exists, affecting React Server Components which allows apps to run processes server-side rather than in the client app. With a CVSS score of 10.0, this vulnerability could allow attackers to execute arbitrary code on vulnerable servers through a single malicious request.
Further details, including mitigation and protection guidance, are posted by Microsoft, linked below.
Nature of the situation
The malware payloads seen in attack campaigns investigated by Microsoft Defender vary from remote access trojans, the SNOWLIGHT memory-based malware downloader that enabled attackers to deploy more payloads to target environments, and cryptominers.
The attacks proceeded by enumerating system details and environment variables to enable credential theft and lateral movement.
Credentials that were observed to be targeted included Azure Instance Metadata Service (IMDS) endpoints for Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Tencent Cloud to acquire identity tokens, which could be used to move laterally to other cloud resources.
Attempts to harvest AI and cloud-native credentials, such as OpenAI API keys, Databricks tokens, and Kubernetes service‑account credentials were also observed. Azure Command-Line Interface (CLI) (az) and Azure Developer CLI (azd) were also used to obtain tokens.
Why it matters
This vulnerability presents a significant risk because of the following factors:
- Default configurations are vulnerable, requiring no special setup or developer error.
- Public proof-of-concept exploits are readily available with near-100% reliability.
- Exploitation can happen without any user authentication since this is a pre-authentication vulnerability.
- The vulnerability could be exploited using a single malicious HTTP request.
In this report, Microsoft Defender researchers share insights from observed attacker activity exploiting this vulnerability. Detailed analyses, detection insights, as well as mitigation recommendations and hunting guidance are covered.
Why it matters
Using the analysis methods listed in the Microsoft post linked below, developers should immediately test their applications for this vulnerability, update test and re-deploy them, and notify users of updates as soon as updated versions are available.
Microsoft says that further investigation towards providing stronger protection measures is in progress, and this report will be updated when more information becomes available.
Further reading
Defending against the CVE-2025-55182 (React2Shell) vunlerability in React Server Components. Article. December 15, 2025. Microsoft Defender Security Research
