Experts warn this ‘worst case scenario’ React vulnerability could soon be exploited – so patch now
- Critical React flaw (CVE-2025-55182) allows RCE pre-authentication in React server components
- Affects versions 19.0 to 19.2.0 and frameworks like Next, React Router, Vite; fixes released in 19.0.1, 19.1.2, 19.2.1
- Experts warn that exploitation is imminent with a success rate close to 100%; urgent upgrades strongly advised
React is one of the most popular JavaScript libraries, powering much of today’s Internet. Researchers recently discovered a maximum severity vulnerability. This bug could allow even low-skilled threat actors to execute malicious code (RCE) on vulnerable instances.
Earlier this week, the React team released a new security advisory detailing a pre-authentication bug in multiple versions of multiple packages, affecting React server components. Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0 of React-server-dom-webpack, React-server-dom-parcel, and React-server-dom-turbopack.
The bug is now tracked as CVE-2025-55182 and has received a severity score of 10/10 (critical).
Imminent exploitation – there is no doubt
The default configurations of several React frameworks and bundlers are also affected by this bug, it has been said, including next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc and rwsdk.
The versions that fixed the bug are 19.0.1, 19.1.2, and 19.2.1, and React urges all users to apply the fix as soon as possible. “We recommend upgrading immediately,” the React team said.
According to The registerReact powers nearly two out of five cloud environments, so the attack surface is large, to put it mildly. Facebook, Instagram, Netflix, Airbnb, Shopify, and other web giants of today all rely on React, along with millions of other developers.
Benjamin Harris, founder and CEO of exposure management tools provider watchTowr, told the publication that the flaw would “without a doubt” be exploited in the wild. In fact, abuse is “imminent,” he believes, especially now that the notice has been published.
Wiz successfully tested the bug and claims that “the exploitation of this vulnerability has been very faithful, with a near 100% success rate and can be exploited for full remote code execution.”
In other words, now is not the time to relax: fixing this flaw should be everyone’s number one priority.
Via The register
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
