ILOVEPOOP Toolkit Exploiting React2Shell Vulnerability to Deploy

A critical vulnerability, dubbed “React2Shell” (CVE-2025-55182), has emerged, significantly impacting the cybersecurity sector. This flaw targets Next.js and React Server Components.

Following its public disclosure on December 4, 2025, threat actors mobilized with alarming speed, launching exploitation attempts against internet-facing systems within just 20 hours.

The flaw allows unauthenticated attackers to execute arbitrary code on vulnerable servers, making it a high-priority threat for enterprises globally.

Attacks typically manifest as malicious HTTP POST requests targeting specific server routes such as /_next/server and /_next/flight.

By manipulating the serialization process of server components, intruders can inject unauthorized commands directly into the application’s runtime.

The initial waves of this campaign were characterized by high-volume scanning, designed to identify and compromise exposed infrastructure before defenders could apply necessary patches.

WhoisXMLAPI analysts identified the “ILOVEPOOP” toolkit as the driving force behind a significant portion of this hostile activity.

This sophisticated yet crudely named framework operates through a centralized infrastructure, primarily anchored by two high-traffic servers hosted in the Netherlands.

Telemetry indicates these nodes have interacted with millions of global endpoints, signaling a massive effort to map and exploit vulnerable networks across sectors like SaaS, retail, and government.

Inside the ILOVEPOOP Toolkit’s Mechanics

The toolkit distinguishes itself through a unique and consistent attack signature that simplifies detection for vigilant defenders.

It utilizes a cluster of nine distinct scanner nodes that rotate their operations to maintain persistence and evade static blocklists.

A hallmark of this toolkit is the inclusion of specific, non-standard HTTP headers in every exploit attempt, most notably X-Nextjs-Request-Id: poop1234 and Next-Action: x.

These markers serve as a digital fingerprint, tying thousands of disparate attacks back to a single operator or group.

Furthermore, the toolkit employs a rigorous scanning methodology, systematically probing six specific Next.js paths to test for susceptibility.

It often begins with generic reconnaissance against login pages before escalating to complex React Server Actions payloads involving prototype pollution.

The infrastructure is highly centralized, with the two primary Netherlands IPs (193.142.147[.]209 and 87.121.84[.]24) acting as the command hubs.

Additionally, the toolkit has demonstrated unusual versatility, with observed attempts to deliver React2Shell payloads via POP3 protocols, likely to bypass standard web filters.

However, blocking these core nodes and filtering for the “ilovepoop” header patterns remains the most effective method to neutralize the immediate threat.

Security teams should urgently patch affected Next.js installations and configure Web Application Firewalls (WAF) to reject requests containing the identified malicious headers.

Additionally, blocking traffic from the known Netherlands-based exploit servers is strongly advised to disrupt the toolkit’s primary communication channels.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.