The React2Shell vulnerability (CVE-2025-55182) is an active exploit targeting web servers running React-based applications. The exploit payloads leverage a technique that abuses JavaScript prototype pollution or similar injection vectors to execute arbitrary code on the server. The payload downloads a malicious binary from a remote server (e.g., http://51.81.104.115/nuts/poop) and writes it to writable temporary directories such as /dev/shm/lrt or /tmp/lrt on Linux systems. These directories are typically world-writable and accessible by non-root processes, including web server processes. After writing the binary, the exploit sets executable permissions (chmod 755) on the file, preparing it for execution. Although the exact execution trigger is not explicitly confirmed, the presence of the binary and its permissions strongly suggest that the attacker can run the malware, which is identified by VirusTotal as either adware or cryptocurrency mining software. This indicates the attacker’s intent to monetize compromised servers through resource abuse. The exploit does not require root privileges, which lowers the barrier for exploitation, but it does rely on the web application running with sufficient permissions to write and modify files in these temporary directories. The exploit is persistent and has been observed repeatedly, suggesting that vulnerable servers have likely been compromised multiple times. Mitigation recommendations include hardening Linux systems by mounting /tmp as a separate partition with the noexec flag to prevent execution of binaries from this directory, restricting permissions on writable temporary directories, and ensuring web applications run with least privilege. Additionally, patching React versions and applying security updates is critical, although no specific affected versions or patches were detailed in the source. The threat remains relevant due to the widespread use of React in web applications and the common configuration of Linux servers with writable temporary directories.

For European organizations, the React2Shell exploit poses a significant risk to web servers running React-based applications on Linux platforms. Successful exploitation can lead to unauthorized code execution, allowing attackers to deploy malware such as cryptocurrency miners or adware, which can degrade system performance, increase operational costs, and potentially serve as a foothold for further network compromise. Confidentiality may be impacted if attackers use the compromised server to exfiltrate data or pivot within the network. Integrity and availability are also at risk due to potential malware activity and resource exhaustion. The persistence of the exploit and repeated compromise attempts indicate that vulnerable servers may already be heavily targeted. Organizations in sectors with high-value web assets, such as finance, e-commerce, and public services, could face reputational damage and regulatory consequences under GDPR if breaches occur. The exploit’s reliance on writable temporary directories and moderate privilege levels means that many standard Linux server configurations are vulnerable, increasing the attack surface across European data centers and cloud providers.

1. Mount /tmp and /dev/shm as separate partitions with the noexec flag to prevent execution of binaries from these writable temporary directories. 2. Restrict permissions on temporary directories to limit write access only to necessary system processes and users. 3. Ensure web applications and services run with the least privilege principle, avoiding running as root or with excessive filesystem permissions. 4. Apply all relevant security patches and updates to React libraries and dependent frameworks as soon as they become available. 5. Implement runtime application self-protection (RASP) or web application firewalls (WAFs) with rules to detect and block exploit payload patterns related to prototype pollution or suspicious file writes. 6. Monitor outbound network connections from web servers to detect unusual downloads or command-and-control communications, especially to suspicious IP addresses like those identified in the exploit. 7. Conduct regular security audits and penetration testing focused on injection vulnerabilities and server-side code execution risks. 8. Educate development and operations teams about secure coding practices to prevent prototype pollution and similar injection flaws in React applications.