The React2Shell vulnerability (CVE-2025-55182) is a critical remote code execution (RCE) flaw in Meta's React Server Components (RSC), specifically within the react-server package. It stems from insecure deserialization in the Flight protocol, which React uses to communicate between client and server. Deserialization vulnerabilities occur when untrusted input is converted into executable objects without proper validation, allowing attackers to craft malicious payloads that execute arbitrary code. In this case, an unauthenticated remote attacker can send specially crafted HTTP requests to React Server Function endpoints, triggering arbitrary command execution on the server. This vulnerability affects multiple React server-side libraries (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) and downstream frameworks such as Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK, expanding the attack surface significantly. The flaw was rapidly exploited in the wild by various threat actors, including Chinese state-affiliated groups like Earth Lamia and Jackpot Panda, as well as others observed by security firms like Coalition, Fastly, GreyNoise, and Palo Alto Networks Unit 42. Exploitation attempts have included reconnaissance, AWS credential theft, deployment of cryptocurrency miners, and in-memory downloaders that fetch additional payloads. The vulnerability has a CVSS score of 10.0, indicating maximum severity. Patches addressing the flaw have been released in React versions 19.0.1, 19.1.2, and 19.2.1, and organizations are urged to update immediately. The vulnerability's discovery and public proof-of-concept exploits have accelerated attack attempts, making timely patching critical. The U.S. government has mandated patching by December 26, 2025, for federal agencies under BOD 22-01. The vulnerability's exploitation leverages the dangerous class of insecure deserialization, which is notoriously difficult to secure and often leads to severe impacts such as full system compromise.

For European organizations, the React2Shell vulnerability poses a severe risk due to the widespread use of React and its dependent frameworks in web applications and services. Successful exploitation can lead to full remote code execution on servers, allowing attackers to execute arbitrary commands, deploy malware such as cryptocurrency miners, steal sensitive credentials (including AWS configuration files), and establish persistent footholds. This could result in data breaches, service disruptions, financial losses, and reputational damage. The vulnerability affects internet-facing services, increasing the likelihood of exposure. Given the active exploitation by sophisticated threat actors, including those linked to nation-states, European critical infrastructure, enterprises, and government agencies using these technologies are at heightened risk. The broad adoption of affected frameworks in sectors such as finance, e-commerce, telecommunications, and public services amplifies potential impact. Additionally, the theft of cloud credentials could lead to further compromise of cloud environments, escalating the severity. The rapid weaponization of proof-of-concept exploits further increases the urgency for mitigation.

European organizations should immediately identify all instances of React Server Components and dependent frameworks (Next.js, React Router, Waku, Parcel, Vite, RedwoodSDK) in their environments. They must apply the official patches released in React versions 19.0.1, 19.1.2, and 19.2.1 without delay. Where patching is not immediately feasible, organizations should implement network-level controls to restrict access to vulnerable endpoints, such as web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting React Server Function endpoints. Conduct thorough audits of internet-facing services to reduce exposure and disable or isolate vulnerable components if possible. Monitor logs and network traffic for indicators of compromise, including unusual HTTP requests, PowerShell command executions, and signs of cryptocurrency miner deployment. Employ threat intelligence feeds to detect scanning and exploitation attempts. Review and rotate cloud credentials, especially AWS keys, to mitigate credential theft risks. Implement strict access controls and segmentation to limit lateral movement if compromise occurs. Finally, educate development teams on secure deserialization practices and incorporate security testing for deserialization vulnerabilities in CI/CD pipelines to prevent future occurrences.