When a 10.0 CVSS Hits: Inside the React2Shell Mobilization

Time is an essential resource in the world of cybersecurity, and critical vulnerabilities rarely respect the clock.

So when a maximum-severity vulnerability was discovered in a widely used technology last week, it triggered an immediate, all-hands-on-deck operational shift from a technical problem to an urgent, systemic risk.

Coalition security teams instantly responded to not only identify policyholders at risk but to reach out, provide hands-on support, and assist with immediate patching before the vulnerability could be exploited.

This is the story of how Coalition mobilized to combat a potentially massive cyber risk aggregation event in React2Shell.

Revisiting the React2Shell timeline

React2Shell is the name given to CVE-2025-55182, a critical deserialization vulnerability found in React Server and Next.js applications that allows remote code execution (RCE) without authentication, enabling attackers to take control of the system.

The vulnerability was first reported by a security researcher on November 29, 2025, and disclosed by the vendor on December 3, 2025. Soon after, threat intelligence teams confirmed active exploitation, including exploitation by state-linked groups targeting internet-facing systems, and the vulnerability was assigned a 10.0 rating on the Common Vulnerability Scoring System (CVSS) — the highest possible score.

The US Cybersecurity and Infrastructure Security Agency (CISA) also added React2Shell to its Known Exploited Vulnerabilities (KEV) catalog on December 5, 2025.

React2Shell is a direct path to RCE, meaning an attacker on the internet could send a specially crafted web request and remotely run their own code on your server — no login needed.

Why React2Shell is a big deal

To understand the magnitude of React2Shell, consider the potential impact and scale:

Impact: Unauthenticated total compromise

In simple terms, React2Shell is a direct path to RCE, meaning an attacker on the internet could send a specially crafted web request and remotely run their own code on your server — no login needed. This is a worst-case scenario, leading immediately to data theft, ransomware staging, and business interruption.

Scale: A systemic cyber risk aggregation event

React is a widely deployed, open-source JavaScript library used by many modern websites, SaaS tools, and e-commerce platforms. Next.js is a React-based framework that extends React's capabilities by adding features such as server-side rendering, routing, and the creation of API endpoints.

React2Shell shares some of the hallmarks of the 2021 Log4Shell vulnerability (CVE-2021-44228), which led to hundreds of ransomware attacks and had lasting impacts.

The React2Shell vulnerability exists in backend React Server Components, which means the vast majority of React applications are not vulnerable. However, we observed significant exposure in Next.js applications, which use React Server Components. All modern Next.js applications were vulnerable by default when CVE-2025-55182 was disclosed, though older Next.js apps were not impacted.

React2Shell shares some of the hallmarks of the 2021 Log4Shell vulnerability (CVE-2021-44228), which led to hundreds of ransomware attacks and had lasting impacts.

How Coalition mobilized in response to React2Shell

When a new threat is discovered and is either actively being exploited or when we believe exploitation is imminent, Coalition issues a Zero-Day Alert (ZDA). We reserve ZDAs for the most critical and time-sensitive threats that present the greatest potential for financial loss to policyholders. 

The moment React2Shell was confirmed, it instantly met our ZDA criteria and demanded an immediate, decisive response:

1. Immediate ZDA trigger

As Coalition’s security team rushed to understand and analyze the exploit chains, we rapidly identified every policyholder with vulnerable Next.js assets. This intelligence enabled us to target the right businesses with critical, time-sensitive alerts.

2. Unseen team mobilization

Our standard ZDA process transformed into an orchestrated, hands-on mobilization that extended well beyond an automated email blast. When a threat of this magnitude drops, an entire dedicated, cross-functional team mobilizes with direct, hands-on support — a core tenet of Active Insurance.

We contacted hundreds of businesses in a matter of hours, not just with ZDAs, but with follow-up outreach to ensure the risk was understood and remediation was underway. Security analysts were literally on the phone with vulnerable policyholders, guiding them through mitigation and rescanning their networks to confirm they were patched and fixed. 

Ultimately, Coalition notified and contacted hundreds of vulnerable policyholders within 48 hours of the vulnerability’s public disclosure.

When a threat of this magnitude drops, an entire dedicated, cross-functional team mobilizes with direct, hands-on support — a core tenet of Active Insurance.

Critical lessons from React2Shell

The critical lesson from the React2Shell event is that cybersecurity is not just about technology; it's about speed, collaboration, and operational discipline. When a 10.0 CVSS vulnerability like this drops, a business’ ability to respond hinges entirely on the existing strength of its security foundation.

For a threat as widespread and severe as RCE in a core library, businesses must prioritize strong security hygiene and foundational best practices that allow for rapid mitigation:

• Timely patching: The ultimate control against this kind of flaw. Maintaining a structured, repeatable patch management program minimizes the window of opportunity for attackers during mass exploitation events.

• Access control: Never trust internal network boundaries. Immediately restricting or disabling public access to affected applications where patching is delayed is vital.

• Network segmentation: Proper network segmentation prevents an attacker who exploits one vulnerable system from easily moving laterally to other critical systems and core infrastructure.

• Attack surface awareness: You cannot defend what you don't know you have. Having a comprehensive, up-to-date inventory of all internal and third-party systems that use affected technologies is the prerequisite for an effective response. 

• Logging and detection: Ensure you have full visibility into your environment. During a critical event, the ability to quickly hunt for indicators of compromise (IOCs) is essential to detect whether you were compromised before the patch.


Navigating a 10.0 CVSS event requires preparation, monitoring, and proactive support. That level of dedication — the human firewall that validates, notifies, and ensures remediation — is the critical difference between receiving an alert and avoiding a catastrophic attack.

React2Shell is a potent reminder that continuous threat monitoring and immediate action are non-negotiable.

Taking Control of cyber risk

React2Shell is a potent reminder that continuous threat monitoring and immediate action are non-negotiable. Coalition ZDAs are designed to prioritize the most critical threats that require prompt remediation.

Businesses can use Coalition Control® to continuously monitor their entire digital footprint, receive prioritized security alerts, and access the guidance of our in-house team of threat analysts.

EASILY SPOT & STOP CYBER THREATS IN ONE PLACE

Coalition Control

Take control of your cyber risk >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites.

Copyright © 2025. All rights reserved. Coalition, Coalition Control, and the Coalition logo are trademarks of Coalition, Inc.