“Worst case scenario” vulnerability found in React, Next.js

Published: 4 December 2025
Last updated: 5 December 2025
malware, hackers
Image by Cybernews.

A critical security flaw has been discovered in React, one of the most widely used JavaScript libraries for building websites. The bug enables external attackers to run privileged, arbitrary code on servers without any authorization.

React Server Components (RCS) run on the server instead of the browser and stream the rendered output to clients (browsers). However, these packages were found to contain a critical vulnerability with a maximum 10 out of 10 severity rating.

Administrators are urged to upgrade immediately.

ADVERTISEMENT

The vulnerability “allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints,” the React Team said in an advisory.

“Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components.”

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Labeled CVE-2025-55182, the bug is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of three packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.

“If you are using any of the above packages, please upgrade to any of the fixed versions immediately,” the team said.

The Cybernews community is talking about this. Be a part of the conversation.

The fixed versions are 19.0.1, 19.1.2, and 19.2.1, respectively.

ADVERTISEMENT

The React Team also stated that it has been collaborating with hosting providers to implement temporary mitigations. However, admins should not depend on these to secure their app and should still update immediately.

Lady bug on a computer chip
By Shutterstock

This critical bug cascades down to many other React frameworks and bundlers, including Next.js, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk, and others.

The maintainers of Next.js, a popular React framework for server-side rendering and static website generation, released a separate security advisory, urging users to upgrade to the latest patched versions.

Researchers from cloud security company Wiz estimate that 39% of cloud environments contain vulnerable React and Next.js instances.

“Regarding Next.js, the framework itself is present in 69% of environments. Notably, 61% of those environments have public applications running Next.js, meaning that 44% of all cloud environments have publicly exposed Next.js instances,” Wiz Research said.

Cloudflare said it has already deployed new protections to address the flaw, and all the company’s customers are now automatically protected.

Has my data been leaked?
Check Now

“Worst-case scenario” bug

Some developers have already compared this bug to a “worst case scenario,” because untrusted client input can completely compromise the server.

An attacker-controlled input can affect server execution logic and ultimately run privileged JavaScript code.

ADVERTISEMENT

Attackers can simply craft a malicious HTTP request and send it to any vulnerable Server Function endpoint, which, when deserialized by React, enables remote code execution on the server.

“In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate, and can be leveraged to full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks,” the Wiz researchers explain.

Millions of websites are likely vulnerable to these types of attacks.

Server rack with blue and red internet patch cord cables connected to black patch panel in data serv

“This vulnerability is basically the worst-case version of what people have been warning about since RSC/server actions were introduced,” a software developer posted on HackerNews.

Upgrading React and dependencies to the hardened version is the only definitive mitigation, and RSC-enabled frameworks should also be updated immediately.

Meta has also released an advisory confirming a pre-authentication remote code execution vulnerability.

“The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints,” the description shared by the National Vulnerability Database reads.

It seems that proof-of-concept code is already publicly available on GitHub, and the exploitation of the flaw is likely imminent.

Unlock exclusive Cybernews content on YouTube

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked