Critical New Vulnerability in React 19 — What You Need to Know

This article explains the newly disclosed CVE-2025-55182 (and related CVE-2025-66478) remote-code-execution vulnerability in React 19, who is affected, and what steps you must take to stay safe.

React logo with warning sign for security vulnerability

Since December 3, 2025, the world of web development has been shaken by the disclosure of a critical, maximum-severity vulnerability in React Server Components (RSC) used in React 19 — tracked as CVE-2025-55182 (with a related entry CVE-2025-66478 for some frameworks).

What is it and why it matters

React’s Server Components (RSC) feature introduces a protocol, often called the “Flight” protocol, that enables server-side components and server-function endpoints. The vulnerability stems from an insecure deserialization logic: attacker-controlled HTTP requests, crafted in a particular way, can trick the server into interpreting malicious payloads — ultimately executing arbitrary JavaScript code on the server.

Because this vulnerability allows unauthenticated remote code execution (RCE), it is extremely dangerous. Even a simple, standard RSC setup can be compromised if not patched.

According to some analyses, around 39% of cloud environments may currently be running vulnerable instances of React or frameworks built on it.

What versions / packages are affected

The vulnerable packages and versions include:

  • react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack — versions 19.0.0, 19.1.0, 19.1.1, 19.2.0
  • Any applications or frameworks that bundle these packages — for example frameworks like Next.js (with App Router), or bundler-plugins such as those for RSC in Vite, Parcel, etc.

If your application uses React Server Components (or depends on a framework/bundler that does), you are potentially exposed — even if you haven’t explicitly written server-functions yourself.

What has been done — and what you should do now

The maintainers of React responded immediately: patched releases have been made available. Specifically, upgrading to React 19.0.1, 19.1.2, or 19.2.1 (or later) fixes the vulnerability.

Similarly, frameworks that depend on React Server Components — like Next.js — have also published their patched versions.

If upgrading is not immediately possible, other immediate mitigations may help — for example, hosting providers and WAF / firewall protections could block exploit attempts; network-level access restrictions can also reduce exposure risk.

Security analysts are issuing urgent calls to action: this isn’t a theoretical vulnerability, but an actively exploitable risk — and in many instances, attacks are already underway.

Why this is a major security event

  • The vulnerability allows full server-side compromise without authentication — attackers only need to send a crafted HTTP request.
  • Because React (and frameworks built on top of it) are used widely across the web — the scale of affected environments could be huge.
  • The breadth of impacted packages isn’t limited to “rare experimental features” — this affects default configs and many popular tools.
  • Patches are available — but only by upgrading to fixed versions. Delays or oversight could lead to serious compromise.

What developers & organizations should do — actionable checklist

Audit your dependencies. Check whether your project (or any of your dependencies) uses React Server Components packages (react-server-dom-*) at versions 19.0.0, 19.1.0, 19.1.1 or 19.2.0. Also check bundlers or frameworks (Next.js, Vite-RSC plugin, Parcel RSC, etc.).

Upgrade immediately to fixed versions: React 19.0.1 / 19.1.2 / 19.2.1 (or later), and updated versions of any affected frameworks or bundlers.

If immediate upgrade is impossible: apply network-level mitigations — restrict access, use WAF/firewall rules, isolate RSC endpoints, and monitor logs for suspicious activity (e.g. unusual server-side code execution, high CPU usage, cryptomining scripts, unexpected file changes).

Test & validate after upgrade: ensure that the upgraded versions are correctly deployed, and that no vulnerable code remains in dependencies. Preferably run security-scanning tools (there are community tools emerging already, e.g. “React2Shell Scanners”) to validate your environment.

Communicate with stakeholders. If your application serves external clients, inform them about the issue, the risk, and the mitigation steps you’ve taken — transparency helps manage trust and potential liability.

Final thoughts

The disclosure of this vulnerability is a major wake-up call for the web ecosystem. What once seemed like a “next-generation feature” — server-side components, hybrid rendering, server functions — is now a potential attack vector, with real-world exploitation already occurring.

If your project uses React 19 with Server Components (or any framework bundling the vulnerable RSC packages), treat this as an incident: patch immediately, audit dependencies, enforce network controls, and verify mitigation.

Failing to do so could lead to server compromise, data theft, cryptomining, or other malicious exploitation — and given the ubiquity of React, the stakes are high.

Szatmári Mihály