React2Shell (CVE-2025-55182): RSC Flight Decoder Remote Code Execution

**Executive Summary:** CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability in React Server Components (RSC) where the Flight protocol decoder used attacker-supplied property names to resolve object properties without own-property checks, allowing prototype-chain access and gadget-based escalation; it has been patched by adding hasOwnProperty checks and improved multipart decoding. The report details exploit mechanics, observed abuse in multiple campaigns (cryptojacking, Mirai, MINOCAT, SNOWLIGHT, COMPOOD), detection and mitigation guidance (upgrade RSC packages, restrict exposure, WAF/IPS rules), and vendor signatures protecting customers.