“I often don’t say this, but patch right freakin’ now,” one researcher wrote. “The React CVE listing (CVE-2025-55182) is an ideal 10.”
React versions 19.0.1, 19.1.2, or 19.2.1 contain the vulnerable code. Third-party components known to be affected include:
- Vite RSC plugin
- Parcel RSC plugin
- React Router RSC preview
- RedwoodSDK
- Waku
- Next.js
Based on Wiz and fellow security firm Aikido, the vulnerability, tracked as CVE-2025-55182, resides in Flight, a protocol present in the React Server Components. Next.js has assigned the designation CVE-2025-66478 to trace the vulnerability in its package.
The vulnerability stems from unsafe deserialization, the coding strategy of converting strings, byte streams, and other “serialized” formats into objects or data structures in code. Hackers can exploit the insecure deserialization using payloads that execute malicious code on the server. Patched React versions include stricter validation and hardened deserialization behavior.
“When a server receives a specially crafted, malformed payload, it fails to validate the structure accurately,” Wiz explained. “This permits attacker-controlled data to influence server-side execution logic, leading to the execution of privileged JavaScript code.”
The corporate added:
In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and could be leveraged to a full distant code execution. The attack vector is unauthenticated and distant, requiring only a specially crafted HTTP request to the goal server. It affects the default configuration of popular frameworks.
Each corporations are advising admins and developers to upgrade React and any dependencies that depend on it. Users of any of the Distant-enabled frameworks and plugins mentioned above should check with the maintainers for guidance. Aikido also suggests admins and developers scan their codebases and repositories for any use of React with this link.
