HomeIntelligenceBrief
🛡️ VULNERABILITY BRIEF🔴 Critical🛡️ Vulnerability

Critical RCE in Next.js (CVE‑2025‑55182) Enables Credential Harvesting Across 766 Hosts

A remote‑code‑execution flaw in Next.js (CVE‑2025‑55182) is being actively exploited to steal database passwords, SSH keys, AWS secrets, Stripe API keys, and GitHub tokens from at least 766 web applications. The breach creates a severe supply‑chain risk for any organization that relies on these compromised third‑party services.

🛡️ LiveThreat™ Intelligence · 📅 April 03, 2026· 📰 thehackernews.com
🔴
Severity
Critical
🛡️
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
6 recommended
📰
Source
thehackernews.com

Critical RCE in Next.js (CVE‑2025‑55182) Enables Credential Harvesting Across 766 Hosts

What It Is – CVE‑2025‑55182, dubbed React2Shell, is a remote‑code‑execution flaw in the server‑side rendering pipeline of Next.js applications. By injecting malicious JavaScript into the rendering process, an attacker can execute arbitrary shell commands on the underlying host.

Exploitability – Public proof‑of‑concept code has been circulating since early 2025; Cisco Talos reports active exploitation in the wild, with a coordinated campaign targeting at least 766 distinct Next.js deployments. The CVSS base score is 9.8 (Critical).

Affected Products – All Next.js versions prior to the vendor‑released patch (v13.5.2) are vulnerable. The vulnerability is especially relevant for sites hosted on shared cloud platforms (AWS, Azure, GCP) that expose environment variables to the rendering engine.

TPRM Impact

  • Compromise of database credentials, SSH keys, AWS secrets, Stripe API keys, and GitHub tokens creates a direct supply‑chain threat to downstream customers and partners.
  • Attackers can pivot from a single compromised vendor to multiple SaaS services, amplifying third‑party risk across entire ecosystems.

Recommended Actions

  • Patch Immediately – Upgrade Next.js to v13.5.2 or later and verify the patch is applied across all environments.
  • Rotate Secrets – Invalidate and re‑issue all database passwords, SSH private keys, AWS IAM credentials, Stripe API keys, and GitHub tokens that may have been exposed.
  • Implement Secret‑Scanning – Deploy automated scanning of code repositories and CI/CD pipelines for leaked secrets.
  • Enforce Least‑Privilege – Review IAM policies for AWS and other cloud services; restrict access to only what is required for the application.
  • Monitor for Abuse – Enable anomaly detection on cloud logs, SSH login attempts, and API usage to spot post‑exploitation activity.
  • Conduct TPRM Review – Re‑evaluate the risk posture of any third‑party services that integrate with the affected Next.js applications.

Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →