Hackers Exploit Next.js Vulnerability in Automated Credential Theft Campaign
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (AP) — Cybercriminals are exploiting a newly discovered vulnerability in Next.js web applications to steal user credentials in an automated campaign, security researchers said Friday.
The attack leverages a flaw identified as CVE-2025-55182, known as React2Shell, which allows attackers to execute arbitrary code on affected servers. The campaign, detected on April 5, 2026, targets Next.js applications that have not applied recent security patches. Once compromised, the malicious code automatically scans for and exfiltrates sensitive authentication data, including session tokens and login credentials.
The vulnerability stems from improper input validation within the React framework’s server-side rendering components. Attackers inject malicious payloads through specific request parameters, bypassing standard security controls. The automated nature of the campaign suggests a coordinated effort, with thousands of requests originating from distributed IP addresses across multiple continents.
Next.js, a popular open-source framework developed by Vercel, is widely used for building server-side rendered and static web applications. The framework’s extensive adoption has made it a prime target for exploitation. Security advisories issued by Vercel recommend immediate patching of all affected installations. The company stated that the vulnerability was discovered through internal testing and reported responsibly before public disclosure.
Organizations relying on Next.js are urged to update their systems to the latest version, which includes fixes for the React2Shell flaw. Administrators should also audit their applications for signs of compromise, such as unauthorized access logs or unexpected outbound traffic. The campaign’s focus on credential theft indicates a potential link to broader identity theft or financial fraud operations.
The timing of the attack coincides with increased scrutiny of web application security following several high-profile breaches in recent months. Experts warn that unpatched systems remain vulnerable to exploitation, with attackers likely to continue scanning for susceptible targets. The automated nature of the campaign suggests the use of botnets or specialized scanning tools to identify and exploit vulnerable instances at scale.
No specific organizations have been confirmed as victims of the campaign, though the widespread use of Next.js implies a significant attack surface. Security firms are monitoring for additional indicators of compromise and developing detection signatures to help organizations identify and block malicious activity.
The full scope of the campaign remains unclear, with questions about the attackers’ ultimate objectives and the extent of data already compromised. As researchers continue to analyze the vulnerability, organizations are advised to remain vigilant and implement robust security measures to protect against similar threats.