A maximum-severity flaw in the widely used JavaScript library React, and several React-based frameworks including Next.js allows unauthenticated, remote attackers to execute malicious code on vulnerable instances. The flaw is easy to abuse, and mass exploitation is “imminent,” according to security researchers.
The React team disclosed the unauthenticated remote code execution (RCE) vulnerability in React Server Components on Wednesday. It’s tracked as CVE-2025-55182 and received a maximum 10.0 CVSS severity rating.
This is a big deal because much of the internet is built on React – one estimate suggests 39 percent of cloud environments are vulnerable to this flaw. This issue therefore deserves a prominent place on your to-do list.
The bug affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
It also affects the default configuration of several React frameworks and bundlers including next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
The project’s maintainers say upgrading to versions 19.0.1, 19.1.2, and 19.2.1 fixes the flaw.
“We recommend upgrading immediately,” the React team said in a Wednesday security advisory.
“CVE-2025-55182 represents a major risk to users of one of the world’s most widely used web application frameworks,” Benjamin Harris, founder and CEO of exposure management tools vendor watchTowr, told The Register. “Exploitation requires few prerequisites [and] there should be no doubt that in-the-wild exploitation is imminent as soon as attackers begin analyzing now-public patches.”
Vercel, the creator and primary maintainer of Next.js, assigned its own CVE (CVE-2025-66478) for the flaw, and issued an alert and patch on Wednesday, too.
While we don’t have too many details about the vulnerability, we know it abuses a flaw in how React decodes payloads sent to React Server Function endpoints.
“An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server,” the security alert warned. “Further details of the vulnerability will be provided after the rollout of the fix is complete.”
Researcher Lachlan Davidson found and reported the flaw to Meta, which created the open source project, on Saturday. Meta worked with the React team to quickly roll out an emergency patch just four days later.
React is very widely used – Meta’s Facebook and Instagram, Netflix, Airbnb, Shopify, Hello Fresh, Walmart, and Asana rely on it, as do millions of developers – and many frameworks depend on vulnerable React packages.
This CVE therefore puts much of the internet at risk.
“Wiz data indicates that 39 percent of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182 and/or CVE-2025-66478,” the cloud security shop’s threat hunters Gili Tikochinski, Merav Bar, and Danielle Aminov said on Wednesday.
The soon-to-be-Google-owned biz experimented with the flaw and fix, and reported that “exploitation of this vulnerability had high fidelity, with a near 100 percent success rate and can be leveraged to a full remote code execution.”
“Due to the high severity and the ease of exploitation, immediate patching is required,” the trio added.
At the time of writing, The Register could find no reports of in-the-wild exploitation. However it is safe to assume that criminals are already reverse engineering patches and scanning the internet for exposed, vulnerable instances.
“Due to the widespread use of React and frameworks like Next.js that are built on top of it, this vulnerability is expected to draw significant attention,” Stephen Fewer, senior principal researcher at Rapid7, told The Register.
“The chances of technical details and exploit code being made publicly available are high, so exploitation is likely to occur soon,” he said. “It is therefore critical to patch this vulnerability immediately.”
Cloudflare customers may also wish to dig into the company’s claim that its Web Application Firewall (WAF) protects them from the flaw, if their React application traffic is proxied through the WAF. ®
