CVE-2025-55182 (React2Shell): Remote code execution in React Server Components and Next.js

A critical server-side prototype pollution vulnerability in React Server Components (CVE-2025-55182) — which also affects Next.js installations — allows unauthenticated remote code execution; public PoCs and a working exploit were published that can compromise even blank create-next-app instances. Datadog observed scanning activity from over 80 IPs probing for this flaw soon after disclosure; patches were committed and upgrading affected React/Next.js components is the recommended remediation.