Critical React flaw (CVE-2025-55182) enables pre-auth RCE in React Server Components
Affects versions 19.0–19.2.0 and frameworks like Next, React Router, Vite; patches released in 19.0.1, 19.1.2, 19.2.1
Experts warn exploitation is imminent with near 100% success rate; urgent upgrades strongly advised
React is one of the most popular JavaScript libraries, which powers much of today’s internet. Researchers recently discovered a maximum-severity vulnerability. This bug could allow even the low-skilled threat actors to execute malicious code (RCE) on vulnerable instances.
Earlier this week, the React team published a new security advisory detailing a pre-authentication bug in multiple versions of multiple packs, affecting React Server Components. The versions that are affected include 19.0, 19.1.0, 19.1.1, and 19.2.0, of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
The bug is now tracked as CVE-2025-55182, and was given a severity score of 10/10 (critical).
Exploitation imminent - no doubt about it
Default configurations of multiple React frameworks and bundlers are also affected by this bug, it was said, including next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
Versions that have addressed the bug are 19.0.1, 19.1.2, and 19.2.1, and React urges all users to apply the fix as soon as possible. "We recommend upgrading immediately," the React team said.
According to The Register, React powers almost two in five of
React cybersecurity rating report: https://www.rankiteo.com/company/reactofficial
"id": "REA1764965031",
"linkid": "reactofficial",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'incident': {'affected_entities': [{'customers_affected': 'Nearly 40% of '
'websites using '
'React',
'industry': 'Technology/Software '
'Development',
'location': None,
'name': 'React (Meta)',
'size': None,
'type': 'Software Library'},
{'customers_affected': None,
'industry': 'Technology/Software '
'Development',
'location': None,
'name': 'Next.js',
'size': None,
'type': 'Framework'},
{'customers_affected': None,
'industry': 'Technology/Software '
'Development',
'location': None,
'name': 'React Router',
'size': None,
'type': 'Framework'},
{'customers_affected': None,
'industry': 'Technology/Software '
'Development',
'location': None,
'name': 'Vite',
'size': None,
'type': 'Framework/Bundler'},
{'customers_affected': None,
'industry': 'Technology/Software '
'Development',
'location': None,
'name': 'Waku',
'size': None,
'type': 'Framework'},
{'customers_affected': None,
'industry': 'Technology/Software '
'Development',
'location': None,
'name': '@parcel/rsc',
'size': None,
'type': 'Bundler'},
{'customers_affected': None,
'industry': 'Technology/Software '
'Development',
'location': None,
'name': '@vitejs/plugin-rsc',
'size': None,
'type': 'Plugin'},
{'customers_affected': None,
'industry': 'Technology/Software '
'Development',
'location': None,
'name': 'rwsdk',
'size': None,
'type': 'Framework'}],
'attack_vector': 'Pre-authentication exploit in React Server '
'Components',
'customer_advisories': 'React team urges all users to apply the '
'fix as soon as possible.',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': None,
'type_of_data_compromised': None},
'description': 'A maximum-severity vulnerability '
'(CVE-2025-55182) in React Server Components '
'allows pre-authentication remote code execution '
'(RCE) with a near 100% success rate. The flaw '
'affects React versions 19.0–19.2.0 and '
'frameworks like Next, React Router, and Vite. '
'Patches were released in versions 19.0.1, '
'19.1.2, and 19.2.1. Experts warn exploitation is '
'imminent, urging immediate upgrades.',
'impact': {'brand_reputation_impact': 'Potential damage due to '
'critical vulnerability in '
'widely used library',
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': None,
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'Potential unauthorized code '
'execution on vulnerable '
'systems',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'React Server Components, '
'frameworks (Next, React Router, '
'Vite, Waku, @parcel/rsc, '
'@vitejs/plugin-rsc, rwsdk)'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'post_incident_analysis': {'corrective_actions': 'Patches '
'released and '
'immediate '
'upgrades '
'recommended',
'root_causes': 'Critical '
'vulnerability in '
'React Server '
'Components allowing '
'pre-auth RCE'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'recommendations': 'Upgrade to patched versions (19.0.1, 19.1.2, '
'19.2.1) immediately to mitigate the risk of '
'exploitation.',
'references': [{'date_accessed': None,
'source': 'React Security Advisory',
'url': None},
{'date_accessed': None,
'source': 'The Register',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Security advisory '
'published by React team',
'containment_measures': 'Patches released (versions '
'19.0.1, 19.1.2, 19.2.1)',
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': 'Immediate upgrades to '
'patched versions',
'third_party_assistance': None},
'title': 'Critical React flaw (CVE-2025-55182) enables pre-auth '
'RCE in React Server Components',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-55182'}}