React2Shell exploit: What happened and lessons learned

On December 3, 2025, a severe vulnerability known as React2Shell (CVE-2025-55182) was identified in React Server Components, with a maximum CVSS score of 10.0, enabling remote code execution (RCE) on affected servers. This exploit, which was quickly leveraged by state-sponsored actors and cryptomining groups, stemmed from a deserialization flaw in the React Flight protocol, allowing attackers to execute arbitrary code on vulnerable servers. React2Shell highlights the importance of security principles such as validating deserialized data and maintaining strict ownership checks. The React team rapidly addressed the issue with an emergency patch, and developers using affected versions of React Server Components were urged to update immediately to secure their applications. This incident underscores the critical need for robust security practices in web development.