The React2Shell vulnerability, tracked as CVE-2025-55182 with a CVSS score of 10.0, is a critical remote code execution (RCE) flaw in the React Server Components (RSC) Flight protocol and several related JavaScript frameworks including Next.js, Waku, Vite, React Router, and RedwoodSDK. The root cause is unsafe deserialization, which allows attackers to craft malicious payloads that the server deserializes and executes in a privileged context. Exploitation requires only a single specially crafted HTTP request, with no authentication, user interaction, or elevated permissions needed. This makes the attack highly accessible and scalable. Since its public disclosure on December 3, 2025, multiple threat actors have launched large-scale campaigns leveraging internet-wide scanning and asset discovery tools to identify vulnerable systems. The attacks have targeted internet-facing Next.js applications, containerized workloads running in Kubernetes, and managed cloud services. Reconnaissance efforts have focused on high-value targets including government websites, academic institutions, critical infrastructure operators, and technology firms providing password managers and secure vaults, indicating potential supply chain attack ambitions. Notably, some scanning activity excluded Chinese IP ranges, while high-density probing was observed in Taiwan, Xinjiang, Vietnam, Japan, and New Zealand, suggesting geopolitical intelligence motives. Kaspersky recorded over 35,000 exploitation attempts in a single day, with payloads including cryptocurrency miners and botnet malware such as Mirai/Gafgyt variants and RondoDox. The Shadowserver Foundation identified over 137,200 internet-exposed IP addresses running vulnerable code, with significant concentrations in the U.S., Germany (10,900), and France (5,500). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog and accelerated patch deadlines to December 12, 2025, underscoring the urgency. The availability of proof-of-concept exploit scripts and active scanning campaigns further elevate the threat level. The vulnerability’s ability to execute arbitrary privileged JavaScript remotely enables attackers to compromise confidentiality, integrity, and availability of affected systems, potentially leading to data theft, service disruption, and lateral movement within networks.

For European organizations, the React2Shell vulnerability poses a severe risk due to the widespread use of affected frameworks like Next.js and React in web applications and cloud-native environments. The ability for unauthenticated remote code execution means attackers can compromise servers directly exposed to the internet, leading to potential data breaches, service outages, and malware infections including cryptominers and botnets. Critical sectors such as government agencies, academic research institutions, and critical infrastructure operators are specifically targeted, increasing the risk of espionage, sabotage, and supply chain compromise. The presence of over 16,000 vulnerable instances in Germany and France alone highlights the scale of exposure. Attackers’ focus on enterprise password managers and secure vault services could enable credential theft and further compromise downstream systems. The exploitation of edge-facing SSL VPN appliances with React components threatens secure remote access infrastructure. The rapid and automated nature of exploitation campaigns increases the likelihood of widespread impact, potentially disrupting essential services and undermining trust in digital platforms. Additionally, geopolitical targeting patterns suggest European countries with strategic technology and infrastructure assets may face heightened surveillance and attack attempts.

European organizations should prioritize immediate patching of all affected React Server Components and related frameworks including Next.js, Waku, Vite, React Router, and RedwoodSDK to the latest secure versions provided by vendors. Given the rapid exploitation, patch deployment must be accelerated beyond typical maintenance windows. Network segmentation should be enforced to isolate internet-facing applications and containerized workloads from critical internal systems. Implement strict ingress filtering and web application firewalls (WAFs) with updated signatures to detect and block exploit attempts targeting this vulnerability. Continuous monitoring of logs and network traffic for indicators of compromise such as unusual command execution, reconnaissance activity, or malware deployment is essential. Organizations should audit and restrict administrative interfaces of SSL VPN appliances and other edge devices that may incorporate vulnerable React components. Employ runtime application self-protection (RASP) and container security tools to detect and prevent malicious code execution. Conduct thorough incident response readiness exercises focusing on this vulnerability’s exploitation scenarios. Finally, coordinate with national cybersecurity agencies and information sharing groups to stay informed on emerging threats and mitigation best practices.