React2Shell
The morning of December 4th, 2025. Access logs show odd Flight-shaped POSTs hitting production overnight. Only after you chase the noise do you match it to the React2Shell advisory.
Briefing
At 03:00 UTC the CDN already showed bursts of `rsc=1` POSTs that do not match normal product traffic. Work like IR: prove the noisy clients, prove the stack, identify the quiet session, then verify deploy and secret-rotation containment.
Your role
On-call SRE for a SaaS app running Next.js. Logs looked wrong before the CVE name trended online.
Objective
Trace the suspicious RSC POSTs in logs, correlate parser failures, prove the App Router blast radius, and verify containment evidence.
Terminal environment
- user
- responder
- host
- edge-prod-02
- cwd
- /srv/forge-web
- steps
- 10
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.