In December 2025, a critical security vulnerability with a CVSS base score of 10.0 (the maximum) was disclosed: React2Shell (CVE-2025-55182), a remote code execution flaw in React Server Components / Flight implementations, as used by frameworks like Next.js.
React2Shell abuses how the Flight protocol deserialises data from clients. By crafting a malicious request to a special endpoint (for example /_rsc), attackers can trick the server into executing attacker-controlled JavaScript.
The disclosure was quickly followed by exploitation by multiple threat actor groups. Several threat intelligence teams have already tied some of this activity to state-associated actors.
New SecDim Challenge: React2Shell
We’ve turned this vulnerability and incident into a hands-on incident response challenge on SecDim.
The scenario drops you into a compromised React/Next.js environment with:
- Reverse-proxy and RSC HTTP logs showing the malicious Flight request
- Application logs with the injected
console.log(50)and errors fromreact-server-dom-webpack - EDR telemetry capturing
node → PowerShell → Cobalt Strike / Snowlight / Vshell - Evidence of AWS credential access and AMSI bypass
Your mission is to reconstruct the attack chain, identify Indicators of Compromise (IoCs), and map everything back to MITRE ATT&CK.
Best of all, you can play it for free in:
Incident Response catalogue
https://play.secdim.com/game/incident-response
Spin it up, follow the logs, and see how fast you can spot the React2Shell foothold before it turns into a full-blown cloud compromise.
