- React critical flaw (CVE-2025-55182) allows pre-authentication RCE in React server components
- It affects versions 19.0–19.2.0 and frameworks such as Next, React Router, Vite; patches released in 19.0.1, 19.1.2, 19.2.1
- Experts warn that exploitation is imminent and that the success rate is close to 100%; Urgent updates are highly recommended.
React is one of the most popular JavaScript libraries, powering much of today’s Internet. Researchers recently discovered a maximum severity vulnerability. This bug could allow even poorly trained threat actors to execute malicious code (RCE) on vulnerable instances.
Earlier this week, the React team published a new security advisory detailing a pre-authentication bug in multiple versions of multiple packages, affecting React server components. Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
The bug is now tracked as CVE-2025-55182 and has been assigned a severity score of 10/10 (critical).
Imminent Exploitation: No Doubt
Default configurations of multiple React frameworks and packages were also said to be affected by this bug, including next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
The versions that fixed the bug are 19.0.1, 19.1.2, and 19.2.1, and React urges all users to apply the fix as soon as possible. “We recommend updating immediately,” said the React team.
According The RegistryReact powers nearly two in five of all cloud environments, so the attack surface is large, to put it mildly. Facebook, Instagram, Netflix, Airbnb, Shopify, and other giants of today’s web rely on React, as well as millions of other developers.
Benjamin Harris, founder and CEO of exposure management tools provider watchTowr, told the publication that the flaw will “certainly” be exploited in the wild. In fact, he believes abuse is “imminent,” especially now that the notice has been published.
Wiz managed to test the bug and says that “the exploitation of this vulnerability had high fidelity, with a success rate close to 100% and can be exploited for full remote code execution.”
In other words, now is not the time to slack off: fixing this flaw should be everyone’s number one priority.
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
