Experts warn this 'worst case scenario' React vulnerability could soon be exploited - so patch now

News
By published

React patches a 10/10 flaw

Closing the cybersecurity skills gap
(Image credit: Shutterstock)
  • Critical React flaw (CVE-2025-55182) enables pre-auth RCE in React Server Components
  • Affects versions 19.0–19.2.0 and frameworks like Next, React Router, Vite; patches released in 19.0.1, 19.1.2, 19.2.1
  • Experts warn exploitation is imminent with near 100% success rate; urgent upgrades strongly advised

React is one of the most popular JavaScript libraries, which powers much of today’s internet. Researchers recently discovered a maximum-severity vulnerability. This bug could allow even the low-skilled threat actors to execute malicious code (RCE) on vulnerable instances.

Earlier this week, the React team published a new security advisory detailing a pre-authentication bug in multiple versions of multiple packs, affecting React Server Components. The versions that are affected include 19.0, 19.1.0, 19.1.1, and 19.2.0, of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.

The bug is now tracked as CVE-2025-55182, and was given a severity score of 10/10 (critical).

Nord Pass
Nord Pass: at go.nordpass.io

Catch the price drop- Get 30% OFF for Enterprise and Business plans

The Black Friday campaign offers 30% off for Enterprise and Business plans for a 1- or 2-year subscription. It’s valid until December 10th, 2025. Customers must enter the promo code BLACKB2B-30 at checkout to redeem the offer.

View Deal

Exploitation imminent - no doubt about it

Default configurations of multiple React frameworks and bundlers are also affected by this bug, it was said, including next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

Versions that have addressed the bug are 19.0.1, 19.1.2, and 19.2.1, and React urges all users to apply the fix as soon as possible. "We recommend upgrading immediately," the React team said.

According to The Register, React powers almost two in five of all cloud environments, so the attack surface is large, to put it mildly. Facebook, Instagram, Netflix, Airbnb, Shopify, and other giants of today’s web, all rely on React - as well as millions of other developers.

Benjamin Harris, founder and CEO of exposure management tools vendor watchTowr, told the publication that the flaw will “no doubt” be exploited in the wild. In fact, abuse is “imminent” he believes, especially now that the advisory has been published.

Wiz managed to test the bug and says that “exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution”.

In other words, now is not the time to slack - patching this flaw should be everyone’s number one priority.

Via The Register

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.