Critical Vulnerability Disclosed: React Server Hit by CVE-2025-55182 — Urgent Patch Required
A severe new vulnerability has been disclosed in React’s server-side components — one that could endanger countless web applications. The flaw, tracked as CVE-2025-55182, carries a CVSS score of 10.0 (Critical) and enables unauthenticated remote-code execution (RCE) simply via a crafted HTTP request. �
React +2
🧬 What Went Wrong — The Technical Root Cause
The vulnerability lies in the server-side implementation of React Server Components (RSC). Specifically, certain “react-server” packages — react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack — were handling incoming RSC payloads insecurely. �
React +2
Due to insufficient validation or unsafe deserialization, a specially crafted RSC “Flight” protocol payload can manipulate the server logic — resulting in arbitrary JS code execution on the server. �
Aikido +2
Critically — this is remote and pre-authentication; no prior access is needed. As long as a server or framework supports RSC, it may be vulnerable, even if your own code doesn’t explicitly call server functions. �
React +2
🔎 What’s Affected — Scope and Reach
Vulnerable React versions: 19.0.0, 19.1.0, 19.1.1, 19.2.0 — if you’re using one of these, you’re at risk. �
React +1
Affected downstream frameworks / bundlers / ecosystems: besides vanilla React, many popular frameworks and tools depend on these packages. Among them: Next.js (RSC/App-Router mode), various RSC-enabled bundler plugins (e.g. for Vite, Parcel), React Router (in RSC mode), RedwoodSDK, Waku and more. �
Aikido +2
According to security-research firm Wiz, many cloud environments are exposed: nearly 39% of cloud environments contain a vulnerable React/Next.js instance. �
wiz.io +1
🛠 What You Must Do Right Now — Remediation Steps
Upgrade React dependencies: If your project uses any of the affected react-server-dom-* packages, update to the patched versions 19.0.1, 19.1.2, or 19.2.1 immediately. �
React +1
Upgrade frameworks / bundlers / plugins: If you depend on Next.js (or any other framework or bundler that bundles the vulnerable packages), upgrade to a safe release. For Next.js, patched versions include 15.4.8, 15.5.7, 16.0.7, etc. �
GitHub +2
Scan dependencies / transitive dependencies — even if you don’t directly use React Server Components, a library or plugin might. Use dependency-scanning tools to discover hidden exposure. �
Aikido +1
Don’t rely on short-term mitigations — Some hosting providers have deployed temporary protections, but the only reliable fix is upgrading the vulnerable packages. �
React +1
⚠ Why This Is Serious — Potential Consequences
A vulnerability with CVSS 10.0 is as severe as it gets. With this bug:
An attacker — even without credentials — can execute arbitrary JavaScript code server-side. This could lead to data exfiltration, installation of malware/ransomware, server takeover, or use as a pivot point for attacking further internal infrastructure. �
The Hacker News +2
The fact that the vulnerability appears in default configurations and widely used frameworks means that many applications — including public-facing websites and APIs — are at risk out-of-the-box. �
Aikido +2
Given the estimated prevalence of React/Next.js in modern web apps, the attack surface is enormous. �
wiz.io +2
📣 What This Means for the Web Ecosystem & Developers
This disclosure should serve as a wake-up call. Even mature, widely used libraries like React — trusted by millions — can harbour catastrophic vulnerabilities. Here’s what it highlights:
The complexity of modern JavaScript stacks — with server-client bridges, bundlers, and polyglot frameworks — creates large “attack surfaces.”
The need for vigilant dependency management. It’s not enough to audit your own code; you must also audit transitive dependencies and the frameworks your code runs on.
The importance of prompt patching and supply-chain hygiene: when a critical flaw emerges, delays in upgrade or mitigation can have severe consequences.
✅ Bottom Line: Act Immediately
If you maintain or deploy any React-based application: check your dependencies now. If you are using React 19 or an RSC-enabled framework or bundler — update to the patched version without delay. This isn’t a theoretical risk — this is a live, high-severity vulnerability with real-world exploit potential.
