CVE-2025-55182, also known as React2Shell, is a severe remote code execution vulnerability affecting React Server Components and Next.js. With a CVSS score of 10.0, it allows attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request. Exploitation attempts began as early as December 5, 2025, with most activity linked to red team assessments, but real-world attacks have also been observed. Affected environments include both Windows and Linux, with attackers primarily deploying coin miners through these exploits. The vulnerability arises because certain versions of React Server Components don't validate incoming payloads properly. This flaw enables attackers to inject malicious inputs that the server accepts, leading to prototype pollution and RCE. The Microsoft Defender telemetry indicates that many organizations using React applications are vulnerable, with hundreds of machines compromised. Attackers have been seen using techniques like deploying remote access trojans (RATs) and secret discovery tools to steal credentials from cloud services like Azure and AWS. To mitigate this threat, Microsoft advises users to identify affected packages such as `react-server-dom-webpack` and `next` in their projects, and to upgrade to patched versions immediately. Specific versions to upgrade include React 19.0.1 and Next.js 15.1.9 or higher. They recommend prioritizing internet-facing services for updates and using Microsoft Defender Vulnerability Management for tracking remediation. Additionally, implementing Azure Web Application Firewall (WAF) custom rules can help block exploit attempts during the patching process.