- Critical React flaw (CVE-2025-55182) enables pre-auth RCE in React Server Components
- Affects versions 19.0–19.2.0 and frameworks like Next, React Router, Vite; patches released in 19.0.1, 19.1.2, 19.2.1
- Experts warn exploitation is imminent with near 100% success rate; urgent upgrades strongly advised
React is one of the most popular JavaScript libraries, which powers much of today’s internet. Researchers recently discovered a maximum-severity vulnerability. This bug could allow even the low-skilled threat actors to execute malicious code (RCE) on vulnerable instances.
Earlier this week, the React team published a new security advisory detailing a pre-authentication bug in multiple versions of multiple packs, affecting React Server Components. The versions that are affected include 19.0, 19.1.0, 19.1.1, and 19.2.0, of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
The bug is now tracked as CVE-2025-55182, and was given a severity score of 10/10 (critical).
Exploitation imminent – no doubt about it
Default configurations of multiple React frameworks and bundlers are also affected by this bug, it was said, including next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
Versions that have addressed the bug are 19.0.1, 19.1.2, and 19.2.1, and React urges all users to apply the fix as soon as possible. “We recommend upgrading immediately,” the React team said.
According to The Register, React powers almost two in five of all cloud environments, so the attack surface is large, to put it mildly. Facebook, Instagram, Netflix, Airbnb, Shopify, and other giants of today’s web, all rely on React – as well as millions of other developers.
Benjamin Harris, founder and CEO of exposure management tools vendor watchTowr, told the publication that the flaw will “no doubt” be exploited in the wild. In fact, abuse is “imminent” he believes, especially now that the advisory has been published.
Wiz managed to test the bug and says that “exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution”.
In other words, now is not the time to slack – patching this flaw should be everyone’s number one priority.
Via The Register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
