Exploit Alert: LexisNexis & the "React2Shell" Jump

 The cybersecurity community is currently dissecting one of the most significant breaches of the year. LexisNexis Legal & Professional has confirmed a data breach involving over 2 gigabytes of leaked files not because of a new "zero-day," but because of a months-old vulnerability that allowed a "jump" from a simple web frontend into the heart of their AWS cloud infrastructure.

The Vector: What is "React2Shell"?

The attack began with $CVE-2025-55182$ (dubbed React2Shell), a maximum-severity ($CVSS\ 10.0$) remote code execution (RCE) flaw in React Server Components (RSC).

  • The Mechanism: The flaw exists in React's Flight protocol, which handles data serialized between the client and the server. Because the protocol lacked proper type checking during deserialization, attackers could craft a malicious HTTP request that forced the server to execute arbitrary JavaScript.
  • The "Vibe" of the Exploit: Much like the infamous Log4Shell, React2Shell is devastating because it is pre-authentication. An attacker doesn't need a password; they just need to send a single, well-crafted POST request to any endpoint supporting RSC.

The "Jump": From Frontend to AWS Secrets

What makes the LexisNexis case a "masterclass" in poor configuration is how the threat actor FulcrumSec moved laterally. According to the leak details:

  1. Initial Access: The attackers hit an unpatched React frontend application within the LexisNexis AWS environment.
  2. The ECS Breach: Once RCE was achieved, the attackers found themselves inside a container running under a specific ECS (Elastic Container Service) Task Role.
  3. The "Single Key" Failure: In a major security oversight, this single Task Role reportedly named LawfirmsStoreECSTaskRole—had broad read access to AWS Secrets Manager.
  4. The Loot: By querying the AWS Metadata Service ($169.254.169.254$), the attackers used the container's identity to pull plaintext secrets, including Redshift master credentials and production database keys.

The Damage Report

While LexisNexis states the compromised data was "mostly legacy" (pre 2020), the volume of structured technical data is staggering:

  • 3.9 Million database records.
  • 536 Redshift tables and 430+ VPC database tables.
  • 53 AWS Secrets in plaintext (including RDS master passwords like "Lexis1234").
  • 400,000 Cloud User Profiles, including 118 high value accounts belonging to federal judges, DOJ attorneys, and SEC staff.

 Hacklido Technical Takeaway: How to Defend

If you are running React 19 or Next.js 15+, your primary mission today is an Identity Audit.

  1. Patch the Runtime: Ensure you are on React 19.0.4, 19.1.5, or 19.2.4 or higher. These versions include the "hasOwnProperty" fix that prevents prototype pollution during deserialization.
  2. Zero-Trust for Containers: Never give an ECS Task Role access to "all" secrets. Use the Principle of Least Privilege: a web frontend should never have the permissions to read database master keys or VPC infrastructure maps.

IMDSv2 Only: Force the use of Instance Metadata Service Version 2 (IMDSv2) on your EC2 and ECS instances. This requires a session oriented token, which effectively kills most "one shot" SSRF and RCE metadata-theft techniques.