- Critical React flaw (CVE-2025-55182) enables pre-auth RCE in React Server components
- Affects version 19.0–19.2.0 and frameworks like Next, React Router, Vite; patches released in 19.0.1, 19.1.2, 19.2.1
- Experts warn that exploitation is imminent with a near 100% success rate; urgent upgrades are strongly recommended
React is one of the most popular JavaScript libraries that powers much of today’s Internet. Researchers recently discovered a maximum severity vulnerability. This flaw could allow even the low-skilled threat actors to execute malicious code (RCE) on vulnerable instances.
Earlier this week, the React team published a new security advisory detailing a pre-authentication flaw in multiple versions of multiple packages that affects React Server components. The affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
The bug is now tracked as CVE-2025-55182 and given a severity score of 10/10 (Critical).
Exploitation imminent – no doubt about it
Default configurations of several React frameworks and bundlers are also affected by this bug, it said, including next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc and rwsdk.
Versions that have fixed the bug are 19.0.1, 19.1.2, and 19.2.1, and React encourages all users to apply the fix as soon as possible. “We recommend upgrading immediately,” the React team said.
According to The registerReact powers almost two out of five of all cloud environments, so the attack surface is large to say the least. Facebook, Instagram, Netflix, Airbnb, Shopify and other giants of today’s web all rely on React – as well as millions of other developers.
Benjamin Harris, founder and CEO of exposure management tools vendor watchTowr, told the publication that the flaw will “undoubtedly” be exploited in the wild. In fact, abuse is “imminent”, he believes, especially now that the announcement has been made public.
Wiz managed to test the flaw and says that “exploitation of this vulnerability had high credibility, with an almost 100% success rate and can be exploited for full remote code execution”.
In other words, now is not the time to relax – fixing this bug should be everyone’s first priority.
Via The register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
