If you’ve ever deployed a small personal project online and thought
“Nobody will care about this”
“It’s just a test website”
This post will change your mind.
This is the story of React2Shell, one of the most critical worldwide vulnerabilities ever discovered, and how my own small NextJS website got compromised and turned into a crypto mining bot.
What is React2Shell?
React2Shell is a community name given to CVE-2025-55182, a critical Remote Code Execution (RCE) vulnerability affecting React Server Components (RSC).
In short: A specially crafted HTTP request sent to a vulnerable instance of React with RSC enabled could result in arbitrary code execution on the server.
The vulnerability exists in how React Server Components deserialize data on the server. Unsafe deserialization means untrusted input can be interpreted as executable code, the worst kind of scenario for exposed services.
The CVSS score? (Common Vulnerability Scoring System)
10 / 10 — maximum severity
Within hours, automated exploit scripts were written and started scanning the whole internet for vulnerable instances.
My small website got hacked (on purpose)
I had a small website online, nothing with real users:
- Vulnerable NextJS version
- Running inside an unprivileged Docker container
- No sensitive data
- No users
- On a cheap VPS
I knew the NextJS version was vulnerable and I was curious so I left it as is and monitored some metrics like CPU and memory usage.
It didn’t take long, but honestly it wasn’t immediate either.
After a few days, the simptoms appeared:
- CPU usage fixed at >100%
- Strange process running inside the container
The container was compromised and running some high intensive CPU task, probably crypto mining.
What should we actually learn?
1. Small projects are not safe
Attackers don’t care how big your project is, bots scans whole IP ranges with automated scripts. Scanning millions of machines this way is surprisingly fast and cheap. Every internet exposed service you host has an attack surface, so protect yourself accordingly.
If it’s reachable from the internet, assume it will be attacked.
Consider using a service like Tailscale (or direclty a VPN like Wireguard) to avoid exposing on the internet services you host for yourself, avoiding unnecessary risks. My whole homelab is only reachable via Tailscale by me and trusted devices, and that is a big relief when something like this happens.
2. Updating dependencies is important
React2Shell didn’t require an unkown 0 monthy users npm package but a dependency used by millions of projects worldwide. Security updates are part of software maintenance, and you should have a plan to apply them regularly.
3. Containers can be useful, but you need to understand their limits
Containers are not virtual machines. There is a small probability that a container escape vulnerability could be exploited to gain access to the host system if your container is compromised.
You should never:
- Run containers as root
- Mount sensitive host directories inside containers
You should always:
- Limit the container capabilities
- Keep the container runtime updated
4. Monitoring is essential
This incident was caught because I was monitoring CPU usage. Without basic monitoring, this miner could have run unnoticed for a long time.