Exploitation of the React2Shell vulnerability (CVE-2025-55182)

The vulnerability known as React2Shell (CVE-2025-55182) was publicly disclosed in early December 2025, when the React team issued an urgent security advisory warning of a critical flaw in its server component architecture. Around the same time, the ecosystem of frameworks that rely on React, particularly Next.js, began assessing the impact of the issue. Within days, the cybersecurity community and numerous technology companies confirmed the severity of the vulnerability, highlighting its potential to enable remote code execution without authentication. The speed with which the information spread prompted many development teams to activate incident response protocols.

This vulnerability allows attackers to exploit flaws in the React Server Components serialization mechanism, making it possible to execute malicious code on servers running affected applications. Shortly after its disclosure, active exploitation campaigns were detected—some attributed to organized groups, that took advantage of the flaw to compromise systems and extract sensitive data such as credentials, tokens, and internal configurations. Among the most affected are companies using applications built with React and Next.js, including production platforms that had not applied the patches in time. In response, the React development teams and providers such as Vercel released security updates and mitigation guidelines, recommending updating dependencies, restricting vulnerable endpoints, and monitoring suspicious access. Additionally, cybersecurity firms issued urgent alerts in light of the active, large-scale exploitation.

As things stand, the vulnerability is considered known and partially mitigated, although it continues to pose a significant risk to systems that have not been properly updated or audited. Throughout 2026, campaigns exploiting unpatched instances have continued to be detected, indicating that the problem persists beyond its initial disclosure.