CVE-2025-55182, dubbed React2Shell, is a critical vulnerability discovered in React Server Components affecting React 19.x and Next.js 15.x and 16.x versions when using the App Router feature. This vulnerability enables unauthenticated attackers to execute arbitrary code remotely by exploiting flaws in the server-side rendering process of React applications. The vulnerability was publicly disclosed on December 3, 2025, and within hours, multiple China state-sponsored threat groups, notably Earth Lamia and Jackpot Panda, were observed actively attempting exploitation. These groups are known for targeting strategic sectors and leveraging zero-day vulnerabilities for espionage and disruption. The vulnerability carries a theoretical CVSS score of 10.0, indicating maximum severity, although the provided data lists severity as medium, likely reflecting initial uncertainty or incomplete impact assessment. The attack vector involves sending crafted requests to vulnerable React Server Components, triggering execution of malicious payloads on the server. This can lead to full system compromise, data theft, or deployment of further malware. The threat actors have been observed using IP addresses linked to known malicious infrastructure. No confirmed widespread exploitation has been reported yet, but the rapid weaponization and targeting by advanced threat actors underscore the urgency. The vulnerability affects a broad range of web applications built on popular JavaScript frameworks, making it a high-value target for attackers. The lack of official patch links in the data suggests that organizations must monitor vendor advisories closely and apply mitigations promptly once available.

For European organizations, the React2Shell vulnerability poses a critical risk to confidentiality, integrity, and availability of web applications and backend systems using React 19.x or Next.js 15.x/16.x with App Router. Exploitation could lead to unauthorized access to sensitive data, disruption of services, and potential lateral movement within networks. Sectors such as finance, government, telecommunications, and critical infrastructure that rely heavily on modern web technologies are particularly vulnerable. The involvement of China state-sponsored groups indicates a likelihood of targeted attacks against strategic European entities for espionage or sabotage. The rapid exploitation attempts shortly after disclosure highlight the threat's immediacy. Organizations with public-facing React-based applications could face defacement, data breaches, or ransomware deployment. The broad adoption of React and Next.js in Europe increases the attack surface, and the lack of immediate patches could prolong exposure. Additionally, supply chain risks exist if third-party services or libraries incorporate vulnerable components. The overall impact could include reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions.

1. Immediately inventory all web applications and services using React 19.x and Next.js 15.x or 16.x with App Router to identify vulnerable instances. 2. Monitor official React and Next.js security advisories and apply patches or updates as soon as they are released. 3. Implement Web Application Firewalls (WAF) with custom rules to detect and block exploitation attempts targeting the React2Shell vulnerability. 4. Employ runtime application self-protection (RASP) tools to detect anomalous behavior indicative of exploitation. 5. Restrict network exposure of server-side rendering endpoints to trusted networks where possible. 6. Conduct thorough code reviews and penetration testing focusing on server-side rendering components to identify and remediate insecure coding practices. 7. Enhance logging and monitoring to detect suspicious requests or unusual server activity related to React Server Components. 8. Educate development teams about secure usage of React Server Components and the risks of untrusted input processing. 9. Consider temporary mitigation by disabling or isolating App Router features if patching is delayed. 10. Collaborate with threat intelligence providers to stay informed about emerging exploitation tactics and indicators of compromise.