React2Shell (CVE-2025-55182)... Uh oh

What is React2Shell?

It was breaking news for me and I managed to alert everyone I knew about the React CVE that came out at the start of December. A massive exploit that basically lets you take control of servers that react sites are on. As you can tell, this is a coming clean moment for me, and a shock to my understanding.

Firstly, I just want to thank the German Government of which alerted me to the fact that I even had a Next.js server running. If they didn't, I probably wouldn't have noticed my machine was compromised.

Forge

I use Laravel Forge to take away a lot of the server management and busy tasks of having a VPS with so many things running on it. The downside of that is I completely neglected to understand that while I did actually have a React app running on it, it was also running a Next.js server. Something I completely forgot as I never actually set it up, it was all done with the click of a button. So when I got through that email from the Government saying "Port 3000 is open to a CVE attack vector btw" I just about crapped my pants and knew exactly what it was.

It was a test dev site of all things. Just me messing around with React hosting a basic boilerplate website. Now I host everything behind Cloudflare, so there was a part of me that was even less bothered about this because in order for people to actually try and attack my sites, they'd need to know the IP of the machine, and since the React demo site I have isn't even live for anyone (It's behind Cloudflare Access) there is no trace whatsoever that my box, or me is hosting React.... Unless you scan the IP and notice my firewall wasn't turned on to block port 3000. Then yeah, you'd probably find it that way. I'm guessing when this exploit when live scripts ran across the IP blocks trying to find as many React sites as they could.

The good thing is, if you compromised the machine unless you went hunting or understood the directory structure of Forge. You probably would have just seen a NextJS server and moved on with your life. I'm not entirely sure what kind of access people had to the box. But it doesn't seem like anyone was poking around.

Lucky?

I think... I'm pretty lucky. For some reason, the punishment for my laziness and lack of understanding on this, was simply about 4 Crypto Miners running on the instance at once. Weirdly, none of my uptime was affected. None of my sites were down. I even ran a Tailscale VPN from it, a MySQL server, everything seemed to perform fine. The only thing that made me get suspicious was a long-running PHP Script that was killed, and a 500 error on one of my backend systems. But I just assumed that was my own error. I've had a few problems before, so I chalked it up to something I did. I suppose if my sites actually got traffic. My databases weren't corrupted, nothing was defaced. Genuinely, if this was me being 15 I'd have raided the data, burned everything on it and called it a day. I seem to have gotten off with a very big scare. Which I suppose makes sense? Better to try make money off the box than burn it all down? And anyone wanting to specifically target my sites wouldn't know the IP. It would have only been those mass generic miner scripts that target a wide IP range.

Countermeasures

It was in work when I noticed. 11am I seen my CPU graph in Hetzner was pegged. Logging into the machine got me kicked back out again by the script refusing to allow me to kill it. Luckily, it only ran under the account that I setup the websites with, so I was able to login to root perfectly fine and terminate everything belonging to the script. Made a backup of the things I care about, and nuked the entire thing. As you can tell, by writing this it's not even been 24 hours of downtime!

The question is, did they take any of the data? What about my VPN, I had tailscale operating at some points during this time, did they know what websites I was accessing? Honestly, I simply don't know. I didn't really want to take a backup of the machine and risk making it worse. Chances are if they were 10% as smart as they were to exploit this they'd have cleared logs anyway... The only things I really host DB wise are blogs, and some archive data from a previous project StreamBit, which is all Login via Twitch tokens anyway, so I don't even store passwords.

Most annoying thing has been re-rolling my keys and passwords. If you aren't sure you just have to assume everything has been taken.

Lessons Learned

Firstly, not having the firewall enabled was such a bad move. But even then, not just updating my app should have been the first thing I did. However. Even if I did both of those, the system was still compromised. I checked the logs. The news went out and my machine was targeted straight away. I doubt I could have been any quicker. And worse still, chances are I would have updated the repo, deployed it, and then seen the stats and figured I was hacked in another way. The saying in IT Security is it's not if but when. There's no telling what kind of state sponsored vector is sitting on everyones machines, waiting for the grand discovery. This was the mother of all CVEs. A 10 rating is about as bad as it gets.

So, what have I changed?

Firewall is now active, blocking anything outside my static IP to management ports (SSH, etc)
All apps are obviously up to date
Looking into better system monitoring and alerting for when resources ramp

And that's pretty much it. There's nothing else I can really do other than change my behaviour regarding "things I don't think I use but probably should check if I do anyway". Funnily enough, I had the alerts from Vercel warning me of the issue. I'm rather surprised Forge didn't do anything on their end regarding it, or send out any notices.