“I don’t usually say this, but the patch is damn right now,” one researcher wrote. “The React CVE list (CVE-2025-55182) is a perfect 10.”
React versions 19.0.1, 19.1.2, or 19.2.1 contain vulnerable code. Third party components known to be affected include:
- Vite RSC plugin
- Parcel RSC plugin
- Preview of React Router RSC
- RedwoodSDK
- Your
- Next.js
According to Wiz and his security firm colleague Aikido, The vulnerability, tracked as CVE-2025-55182, is in Flight, a protocol found in React server components. Next.js has assigned the designation CVE-2025-66478 to track the vulnerability in its package.
The vulnerability is due to insecure deserialization, the process of converting strings, byte streams, and other “serialized” formats into objects or data structures in code. Hackers can take advantage of insecure deserialization by using payloads that execute malicious code on the server. Fixed versions of React include stricter validation and stronger deserialization behavior.
“When a server receives a specially crafted, malformed payload, it is unable to properly validate the structure,” Weese explained. “This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.”
The company added:
In our experiments, exploitation of this vulnerability had a high accuracy, almost 100% success rate, and could be used for full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. This affects the default configuration of popular frameworks.
Both companies advise administrators and developers to update React and all dependencies that depend on it. Users of any of the platforms and plugins that support remote access mentioned above should seek advice from the maintainers. Aikido also encourages admins and developers to scan their codebases and repositories for any use of React using this connection.
