React2Shell Vulnerability: Maximum-Severity Flaw in React Server Components Actively Exploited by China-Backed Groups 

**Executive summary:** React2Shell (CVE-2025-55182) is a maximum-severity unauthenticated RCE in React Server Components and Next.js App Router that allows arbitrary server-side JavaScript execution via unsafe deserialization; public PoCs surfaced quickly and multiple China-linked APT clusters are actively scanning and exploiting the flaw at scale, prompting urgent patching and mitigations such as WAF rules and Cloudflare protections.