Get the New State of AI & API Security Report (H1 2026)

Industry

React2Shell: The Frontend Vulnerability That Unlocks Your Internal APIs

December 10, 2025

Eric Schwake
Head of Product Marketing

The cybersecurity world is currently buzzing about React2Shell (CVE-2025-55182), a critical remote code execution (RCE) vulnerability affecting React and Next.js. The scale of the threat is massive: researchers have already identified over 77,000 vulnerable IP addresses exposed to the internet, and confirmed that state-sponsored actors and opportunistic crypto miners have already breached at least 30 organizations.

But if you look closely, this isn't really a story about React.

It is a story about Infrastructure Identity Theft.

When an attacker exploits React2Shell, they don't just break into your network; they become your application. They inherit the identity, the API keys, and the implicit trust your backend places in your frontend servers. This transforms a code flaw into an identity crisis for your internal APIs, shattering the trust boundary between your frontend and your critical data.

The "Pivot": From Frontend RCE to API Breach

React2Shell exploits a flaw in the "Flight" protocol used by React Server Components to serialize data. By sending a malicious payload, often disguised within a standard HTTP request using the next-action header, an unauthenticated attacker can trick the server into executing arbitrary code.

Here is where the story shifts. Once an attacker has code execution on your Next.js server, they don't stop there. They essentially "own" a trusted node inside your network.

According to deep-dive analysis by security researchers, attackers are already using this foothold to scrape cloud credentials, access metadata services, and deploy backdoors such as Sliver. To your backend systems, requests coming from this compromised server look legitimate. It creates a perfect launchpad for East-West lateral movement.

The Real Impact: 7 Ways React2Shell Compromises Your APIs

Once they have established this beachhead, the attacker can use the compromised server to target your internal API ecosystem. This opens the door to seven distinct risks:

  1. Accessing Shadow APIs: Attackers can scan for and access internal microservice-related APIs that were never meant to be exposed to the internet, bypassing the obscurity that usually protects them.
  2. Bypassing Access Controls: Because the request comes from a trusted internal IP (the web server), it often bypasses strict authentication checks, WAF rules, or IP allow-lists intended for external traffic.
  3. Cloud Identity Theft: Attackers specifically target the internal Cloud Metadata APIs (e.g., 169.254.169.254) to steal temporary IAM credentials, allowing them to escalate privileges within your cloud environment.
  4. Stealing Sensitive Data: Attackers can directly query backend databases or user data stores, exfiltrating massive amounts of PII without triggering perimeter alarms.
  5. Modifying Backend Logic: With access to internal configuration APIs, attackers could potentially alter business logic or grant themselves persistent administrative access.
  6. Resource Hijacking: Attackers can abuse your internal API resources to deploy crypto miners or launch Denial-of-Service (DoS) attacks against other internal services.
  7. Full Environment Compromise (Lateral Movement): From the web server, they can move laterally to other containers, CI/CD pipelines, or sensitive infrastructure components.

Why Perimeter Defense Isn't Enough

Traditional security tools like WAFs are struggling to catch this.

  1. The Initial Exploit: The malicious React2Shell payload often bypasses WAFs because it appears as valid serialized application data (using the next-action header).
  2. The Internal Traffic: Once the attacker is inside, their traffic is East-West (internal server to internal server). Most edge security tools are blind to this. They guard the front door, but they have no visibility into what is happening in the hallway.

How Salt Security Closes the Gap

React2Shell validates exactly why East-West API visibility is critical. You cannot rely on the perimeter alone.

Salt Security protects you in two key ways:

1. Discovery of the API Attack Surface

You cannot protect your backend if you don't know what it exposes. Salt automatically discovers your entire API footprint, identifying the Shadow APIs and internal endpoints that a compromised frontend would target. By mapping your full API estate, Salt helps you understand the potential "blast radius" of a frontend breach like React2Shell, ensuring you know exactly which critical data and services are reachable from your web tier.

2. Monitoring the "Trusted Insider" (East-West Traffic)

The most dangerous aspect of React2Shell is that the attack comes from a trusted source: your own web server. To your internal network, these requests look legitimate because they originate from a valid, whitelisted IP address.

Salt Security takes a different approach. We don't just look at the source of the traffic; we analyze the identity's behavior.

  • Baselining Trust: Salt establishes a baseline of normal behavior for every asset. We know that your Next.js frontend typically calls specific consumer APIs to fetch page content.
  • Detecting Post-Exploitation Abuse: If that trusted server suddenly starts scanning internal ports, calling administrative APIs it never used before, or querying cloud metadata services (a clear sign of the React2Shell kill chain), Salt immediately identifies this deviation. We catch the consequence of the breach, the pivot, even if the initial exploit bypassed the WAF.

Conclusion

React2Shell is an important reminder that your security model cannot assume the frontend is secure. A single flaw in a web framework can turn your own trusted infrastructure against you.

To protect your data, you need to look beyond the perimeter and see what is happening behind the web server. Patching this specific CVE is necessary, but true resilience requires a strategy that assumes the breach has already happened. You need the deep, internal API visibility that only Salt Security provides to ensure that when the next frontend zero-day strikes, your backend data remains out of reach.

If you want to learn more about Salt and how we can help you, please contact us, schedule a demo, or visit our website. You can also get a free API Attack Surface Assessment from Salt Security's research team and learn what attackers already know.

Categories

Customer
Product
Industry
Technical
Company
Salt Labs

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

Our latest posts

Industry
Your AI Agents Are Already Acting. The Question Is Whether You Can See What They’re Doing.
Michael Callahan
 |
May 13, 2026

The future of AI in the enterprise will be defined by how safely organizations allow their agents to act.

Read more
Industry
You’re Not Watching MCPs. Anthropic’s Vulnerability Shows Why You Should Be.
Roey Eliyahu
 |
April 22, 2026

We've been saying for months that MCP servers are the most dangerous unmonitored layer in your agentic infrastructure. This proves it.

Read more
Industry
Claude Mythos Changed Everything. Your APIs Are the First Target.
Roey Eliyahu
 |
April 14, 2026

The question is no longer whether AI can hack at scale. We now know it can. The question is whether your attack surface is ready.

Read more