Development » aiaxio

AIAXIO – CVE-2025-55182 (React2Shell) Testing – 05 Dec 2025

• Ran RSC surface scanner → initially reported [EXPOSED] on https://aiaxio.com/signin
• Executed multiple public RCE PoCs (msanft, maple3142, custom curl payloads)
• Tested reverse shells (TCP + HTTP callbacks) → no connection
• Ran gold-standard detection payload → no deserialization error
• Final verdict: Production instance is NOT vulnerable
  • Either already patched (React ≥19.2.1 / Next.js ≥16.0 accidental update)
  • Or Vercel silent runtime hot-patch applied automatically

Status: No exploitation possible → Safe
Action: No immediate patch required. False-positive from old scanner can be ignored.