- A critical React vulnerability (CVE-2025-55182) involves RCE pre-authentication in React server components.
- Affects versions 19.0–19.2.0 and platforms such as Next, React Router, Vite; patches released in versions 19.0.1, 19.1.2, 19.2.1
- Experts warn that exploitation is inevitable, with a success rate of almost 100%; It is strongly recommended to update immediately
React is one of the most popular JavaScript Librarieswhich powers much of the modern Internet. Recently, researchers discovered a vulnerability of maximum severity. This flaw could allow even low-skilled attackers to execute malicious code (RCE) on vulnerable instances.
Earlier this week, the React team published a new security advisory detailing a pre-authentication bug in multiple versions of several packages affecting React server components. Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0, react-dom-webpack, react-dom-parcel, and react-dom-turbopack.
The issue is now tracked as CVE-2025-55182 and has a severity level of 10/10 (Critical).
Exploitation is inevitable – there is no doubt about it.
This bug also affects the default configurations of several React frameworks and builders, including next, act-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
The versions that have fixed the bug are 19.0.1, 19.1.2, and 19.2.1, and React encourages all users to apply the fix as soon as possible. “We recommend upgrading immediately,” the React team said.
According to RegisterReact powers nearly two out of five of all cloud environments, so the attack surface is large, to say the least. Facebook, Instagram, Netflix, Airbnb, Shopify and other giants of the modern web rely on React, as do millions of other developers.
Benjamin Harris, founder and CEO of risk management tools provider WatchTowr, told the publication that the vulnerability would “no doubt” be exploited in the real world. In fact, he said, abuse is “inevitable,” especially now that the recommendation has been published.
Wiz was able to test the bug and says that “exploitation of this vulnerability had high accuracy, almost 100% success rate and can be used for full remote code execution.”
In other words, now is not the time to relax—correcting this deficiency should be everyone's number one priority.
By using Register
The best antivirus for any budget
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
