All products
Urgent Security Alert: React Vulnerability Puts Servers at Risk
A critical vulnerability has been discovered in React, a popular JavaScript library, that could allow hackers to execute malicious code on servers. The vulnerability, tracked as CVE-2025-55182, has been rated as a perfect 10 in terms of severity, with experts warning admins and developers to patch their systems immediately.
Affected Versions and Components
React versions 19.0.1, 19.1.2, and 19.2.1 contain the vulnerable code, and several third-party components are also affected, including Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, Waku, and Next.js. According to security firms Wiz and Aikido, the vulnerability resides in Flight, a protocol found in the React Server Components.
The vulnerability stems from unsafe deserialization, which allows hackers to execute malicious code on the server using specially crafted payloads. Patched React versions include stricter validation and hardened deserialization behavior. As Wiz explained, “When a server receives a specially crafted, malformed payload, it fails to validate the structure correctly, allowing attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.”
Exploitation and Mitigation
The vulnerability can be exploited with a near 100% success rate, and it can be leveraged to achieve full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. To mitigate the vulnerability, admins and developers are advised to upgrade React and any dependencies that rely on it. Users of any of the Remote-enabled frameworks and plugins mentioned above should check with the maintainers for guidance.
Aikido also suggests admins and developers scan their codebases and repositories for any use of React using this link. For more information on this critical vulnerability, visit Here
Image Credit: arstechnica.com