React2Shell (CVE-2025-55182) is a prototype pollution and deserialization exploit targeting React-based web applications, enabling remote code execution (RCE) on vulnerable servers. The exploit payload manipulates JavaScript object prototypes to inject malicious code that uses Node.js's process.mainModule.require to load the 'http' and 'fs' modules. It then downloads a binary from a remote IP (51.81.104.115) and writes it to writable temporary directories such as /dev/shm/lrt or /tmp/lrt, setting executable permissions (chmod 755). The binary's nature is ambiguous but is flagged as either adware or a cryptocurrency miner, indicating potential resource abuse and data exfiltration risks. The exploit does not require authentication and leverages writable and executable temporary directories common in Linux environments. The attack is persistent, with multiple variants observed, and servers vulnerable to simple exploit attempts are likely already compromised. Hardening Linux systems by mounting /tmp as a separate noexec partition can mitigate execution of such payloads, though this may disrupt some legitimate applications. The exploit's continued activity highlights the need for patching React components and securing server environments against prototype pollution and unsafe deserialization vulnerabilities.

For European organizations, the React2Shell exploit poses significant risks including unauthorized remote code execution, leading to potential data breaches, system compromise, and resource hijacking (e.g., cryptocurrency mining). Confidentiality is at risk due to possible data exfiltration, while integrity and availability may be impacted by unauthorized modifications and resource exhaustion. The exploit's ability to write and execute binaries in writable temporary directories increases the attack surface, especially on Linux-based servers common in European enterprises and cloud providers. Organizations relying on React frameworks without proper patching or hardened server configurations may face repeated compromises. Additionally, the presence of mining malware can degrade system performance and increase operational costs. The exploit's medium severity reflects these impacts, emphasizing the need for proactive defenses to protect critical infrastructure and sensitive data within Europe.

1. Patch all React components and dependencies to versions that address prototype pollution and deserialization vulnerabilities. 2. Harden Linux server configurations by mounting /tmp and /dev/shm as separate partitions with the 'noexec' flag to prevent execution of binaries from these writable directories. 3. Restrict permissions on temporary directories to limit write and execute access only to trusted processes. 4. Implement runtime application self-protection (RASP) or Web Application Firewalls (WAF) with rules to detect and block suspicious payloads targeting prototype pollution. 5. Monitor network traffic for unusual outbound connections to suspicious IP addresses, such as 51.81.104.115, and block them at perimeter firewalls. 6. Conduct regular security audits and code reviews focusing on deserialization and prototype pollution risks in JavaScript applications. 7. Employ endpoint detection and response (EDR) tools to identify and quarantine malicious binaries dropped on servers. 8. Educate development and operations teams on secure coding practices to prevent injection of unsafe payloads. 9. Use containerization or sandboxing to isolate application processes and limit the impact of potential exploits. 10. Maintain up-to-date backups and incident response plans to quickly recover from compromises.