JavaScript/Node.js Ecosystem Vulnerabilities: Next.js React2Shell Exploitation and Prototype-Pollution/DoS Bugs in Axios and CASL
Threat actors began actively exploiting React2Shell (CVE-2025-55182), a critical issue affecting Next.js and React Server Components that can enable unauthenticated remote code execution on vulnerable, internet-facing servers. Reporting describes exploitation starting within ~20 hours of public disclosure, with attacks observed as malicious HTTP POST requests targeting routes such as /_next/server and /_next/flight, abusing server-component serialization to inject commands into the application runtime. WhoisXMLAPI attributed a large share of scanning/exploitation activity to the “ILOVEPOOP” toolkit, which used centralized infrastructure (noted as high-traffic nodes hosted in the Netherlands), rotating scanner nodes, and a distinctive request fingerprint including non-standard headers like X-Nextjs-Request-Id: poop1234 and Next-Action: x.
Separately, two additional JavaScript supply-chain/library vulnerabilities were disclosed that can be triggered via attacker-controlled input in Node.js applications. Axios is affected by a high-severity denial-of-service flaw (CVE-2026-25639, CVSS 7.5) in mergeConfig, where a configuration object containing an own __proto__ property can cause a TypeError and crash the Node.js process when user input is parsed (e.g., via JSON.parse()) and passed into Axios configuration. CERT/CC also published VU#458422 for a prototype pollution vulnerability in CASL Ability (versions 2.4.0–6.7.4) in rulesToFields() / setByPath() (extra module), where insufficient sanitization of path segments allows writing to Object.prototype via special keys (e.g., prototype, constructor, and _proto_), potentially enabling broad application compromise up to arbitrary code execution depending on how polluted properties are later used.
Timeline
Apr 13, 2026
Axios CVE-2026-40175 disclosed and patched in version 1.15.0
A critical Axios vulnerability, CVE-2026-40175, was disclosed affecting versions prior to 1.15.0 due to improper HTTP header sanitization in the Node.js HTTP adapter. The issue can let prototype-polluted properties reach request headers, enabling request smuggling, metadata exfiltration, IAM credential theft, and possible cloud account takeover; Axios 1.15.0 was identified as the patched release.
Feb 10, 2026
Axios maintainers release fixes for CVE-2026-25639
Axios maintainers released updates to address the mergeConfig crash issue affecting Node.js servers that pass untrusted input into Axios configuration merging. Users were urged to upgrade to version 1.13.4 or later, with 1.13.5 specifically noted as restoring stability.
Feb 10, 2026
Axios DoS vulnerability CVE-2026-25639 is reported
A high-severity denial-of-service flaw in Axios, tracked as CVE-2026-25639 and scored CVSS 7.5, was reported. The issue in mergeConfig can trigger a TypeError and crash Node.js processes when a configuration object contains __proto__ as an own property.
Feb 10, 2026
CERT/CC publishes advisory on CASL Ability prototype pollution flaw
CERT/CC published vulnerability note VU#458422 covering a prototype pollution vulnerability in CASL Ability. No further synopsis details were provided in the reference.
Feb 10, 2026
WhoisXMLAPI attributes React2Shell activity to ILOVEPOOP toolkit
Analysts linked a large share of the React2Shell exploitation activity to a toolkit called ILOVEPOOP. The toolkit was described as using centralized infrastructure based on two high-traffic servers in the Netherlands, rotating scanner nodes, and distinctive HTTP headers for detection.
Dec 5, 2025
Exploitation of React2Shell begins within about 20 hours
Attackers began exploiting internet-facing systems shortly after public disclosure, using malicious HTTP POST requests to routes such as /_next/server and /_next/flight. Early activity included high-volume scanning to find exposed targets before they could be patched.
Dec 4, 2025
React2Shell vulnerability publicly disclosed
The critical Next.js and React Server Components flaw dubbed React2Shell, tracked as CVE-2025-55182, was publicly disclosed. The bug enables unauthenticated remote code execution via abuse of server component serialization.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
1 more from sources like cert cc security advisories
Related Stories
Active Exploitation of React2Shell (CVE-2025-55182) in React Server Components
Threat actors are actively exploiting **React2Shell** (**CVE-2025-55182**), a critical remote code execution flaw in the Flight protocol used for client-server communication in **React Server Components**. The issue is attributed to **insecure deserialization** that can allow unauthorized code execution on vulnerable servers, with observed targeting across insurance, e-commerce, and IT organizations. Reported payloads include the **XMRig** cryptocurrency miner as well as multiple botnets and remote access tooling; campaigns observed against Russian entities deployed **RustoBot** and **Kaiji**, while other activity distributed malware such as **CrossC2**, **Tactical RMM**, **VShell**, and **EtherRAT**. Affected packages include `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` in versions **19.0**, **19.1.0**, **19.1.1**, and **19.2.0**, with fixes available in **19.0.1**, **19.1.2**, and **19.2.1**. Separate reporting highlighted that attackers leveraged a **public proof-of-concept (PoC)** for React2Shell and began targeting organizations within hours, reinforcing that rapid weaponization is now common; defenders are advised to patch and also perform post-patch validation, including checking for indicators of compromise, verifying *Next.js* and dependency versions, rebuilding projects after updates, and confirming lockfiles no longer reference vulnerable package versions.
3 weeks ago
Critical Axios Flaw Enables Request Smuggling, IMDSv2 Bypass, and Cloud Compromise
A critical vulnerability in the Axios HTTP client library, tracked as **`CVE-2026-40175`**, allows attackers to turn polluted JavaScript object properties into malicious HTTP headers and abuse outbound requests for **SSRF**, **request smuggling**, and potential **remote code execution**. Researchers said the flaw stems from improper header handling in Axios’s HTTP adapter and unsafe config merging, which can let `Object.prototype` values containing CRLF characters be injected into requests. The issue can be chained with prototype pollution in other npm packages to target internal services, including the AWS EC2 metadata endpoint at `169.254.169.254`, potentially bypassing **IMDSv2** and exposing cloud credentials or broader infrastructure. A public proof-of-concept was released alongside disclosure, raising urgency for defenders even though active exploitation had not been confirmed at the time of reporting. The flaw affects Axios versions before **`1.13.2`**, while maintainers said **`1.15.0`** introduces strict header validation that blocks CRLF-based header injection; organizations were urged to upgrade and audit dependencies such as **`body-parser`**, **`qs`**, and **`minimist`** for prototype pollution paths. One report cited internet-wide estimates of more than **48,000** potentially exposed instances, underscoring the risk of unauthorized internal access and possible full cloud compromise.
2 weeks ago
React2Shell Remote Code Execution Vulnerability in React 19 and Next.js
A critical remote code execution vulnerability, dubbed **React2Shell**, was discovered in the React 19 library, specifically affecting React Server Components. The flaw allows unauthenticated attackers to execute arbitrary code on servers by sending crafted requests, making it a severe risk for organizations using default React and Next.js deployments. Within hours of public disclosure, security firms including Google’s Threat Intelligence Group and AWS confirmed active exploitation in the wild, highlighting the shrinking window between vulnerability awareness and real-world attacks. Researchers from Wiz and Unit 42 demonstrated that even clean, default deployments were susceptible, emphasizing the widespread impact due to the popularity of these frameworks. Threat actors rapidly weaponized the React2Shell vulnerability, with the RondoDoX botnet launching automated exploitation campaigns targeting both web applications and IoT devices. CloudSEK’s analysis of command and control logs revealed a multi-month campaign, with a significant spike in attacks following the vulnerability’s disclosure in December 2025. The RondoDoX botnet deployed various payloads, including web shells and cryptominers, and quickly adapted its infrastructure in response to security firm reports. Organizations with technology stacks overlapping the targeted vectors were promptly alerted, underscoring the urgent need for patching and monitoring in environments using React 19 and Next.js.
1 months ago