'Exploitation is imminent' as 39 percent of cloud environs have max-severity React hole
(2025/12/03)
- Reference: 1764798937
- News link: https://www.theregister.co.uk/2025/12/03/exploitation_is_imminent_react_vulnerability/
- Source link:
A maximum-severity flaw in the widely used JavaScript library React, and several React-based frameworks including [1]Next.js allows unauthenticated, remote attackers to execute malicious code on vulnerable instances. The flaw is easy to abuse, and mass exploitation is "imminent," according to security researchers.
The React team [2]disclosed the unauthenticated remote code execution (RCE) vulnerability in React Server Components on Wednesday. It's tracked as [3]CVE-2025-55182 and received a maximum 10.0 CVSS severity rating.
This is a big deal because much of the internet is built on React – one estimate suggests 39 percent of cloud environments are vulnerable to this flaw. This issue therefore deserves a prominent place on your to-do list.
[4]
The bug affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
[5]react-server-dom-webpack
[6]react-server-dom-parcel
[7]React-server-dom-turbopack
It also affects the default configuration of several React frameworks and bundlers including [8]next , [9]react-router , [10]waku , [11]@parcel/rsc , [12]@vitejs/plugin-rsc , and [13]rwsdk .
The project's maintainers say upgrading to versions [14]19.0.1 , [15]19.1.2 , and [16]19.2.1 fixes the flaw.
[17]
[18]
"We recommend upgrading immediately," the React team said in a Wednesday security advisory.
"CVE-2025-55182 represents a major risk to users of one of the world's most widely used web application frameworks," Benjamin Harris, founder and CEO of exposure management tools vendor watchTowr, told The Register . "Exploitation requires few prerequisites [and] there should be no doubt that in-the-wild exploitation is imminent as soon as attackers begin analyzing now-public patches."
[19]
Vercel, the creator and primary maintainer of Next.js, assigned its own CVE ( [20]CVE-2025-66478 ) for the flaw, and issued an [21]alert and patch on Wednesday, too.
While we don't have too many details about the vulnerability, we know it abuses a flaw in how React decodes payloads sent to React Server Function endpoints.
"An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server," the security alert warned. "Further details of the vulnerability will be provided after the rollout of the fix is complete."
[22]
Researcher Lachlan Davidson found and reported the flaw to Meta, which created the open source project, on Saturday. Meta worked with the React team to quickly roll out an emergency patch just four days later.
React is very widely used – Meta's Facebook and Instagram, Netflix, Airbnb, Shopify, Hello Fresh, Walmart, and Asana rely on it, as do millions of developers – and many frameworks depend on vulnerable React packages.
This CVE therefore puts much of the internet at risk.
"Wiz data indicates that 39 percent of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182 and/or CVE-2025-66478," the cloud security shop's threat hunters Gili Tikochinski, Merav Bar, and Danielle Aminov [23]said on Wednesday.
[24]Years-old bugs in open source tool left every major cloud open to disruption
[25]Two Android 0-day bugs disclosed and fixed, plus 105 more to patch
[26]Fortinet finally cops to critical make-me-admin bug under active exploitation
[27]PostHog admits Shai-Hulud 2.0 was its biggest ever security bungle
The [28]soon-to-be-Google-owned biz experimented with the flaw and fix, and reported that "exploitation of this vulnerability had high fidelity, with a near 100 percent success rate and can be leveraged to a full remote code execution."
"Due to the high severity and the ease of exploitation, immediate patching is required," the trio added.
At the time of writing, The Register could find no reports of in-the-wild exploitation. However it is safe to assume that criminals are already reverse engineering patches and scanning the internet for exposed, vulnerable instances.
"Due to the widespread use of React and frameworks like Next.js that are built on top of it, this vulnerability is expected to draw significant attention," Stephen Fewer, senior principal researcher at Rapid7, told The Register .
"The chances of technical details and exploit code being made publicly available are high, so exploitation is likely to occur soon," he said. "It is therefore critical to patch this vulnerability immediately."
Cloudflare customers may also wish to dig into the company’s [29]claim that its Web Application Firewall (WAF) protects them from the flaw, if their React application traffic is proxied through the WAF. ®
Get our [30]Tech Resources
[1] http://next.js
[2] https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
[3] https://www.cve.org/CVERecord?id=CVE-2025-55182
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aTDBBnvsz1Yu8dTPhR1w7QAAAIA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.npmjs.com/package/react-server-dom-webpack
[6] https://www.npmjs.com/package/react-server-dom-parcel
[7] https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme
[8] https://www.npmjs.com/package/next
[9] https://www.npmjs.com/package/react-router
[10] https://www.npmjs.com/package/waku
[11] https://www.npmjs.com/package/@parcel/rsc
[12] https://www.npmjs.com/package/@vitejs/plugin-rsc
[13] https://www.npmjs.com/package/rwsdk
[14] https://github.com/facebook/react/releases/tag/v19.0.1
[15] https://github.com/facebook/react/releases/tag/v19.1.2
[16] https://github.com/facebook/react/releases/tag/v19.2.1
[17] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTDBBnvsz1Yu8dTPhR1w7QAAAIA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[18] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTDBBnvsz1Yu8dTPhR1w7QAAAIA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[19] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTDBBnvsz1Yu8dTPhR1w7QAAAIA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[20] https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
[21] https://vercel.com/changelog/cve-2025-55182
[22] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTDBBnvsz1Yu8dTPhR1w7QAAAIA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[23] https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
[24] https://www.theregister.com/2025/11/24/fluent_bit_cves/
[25] https://www.theregister.com/2025/12/02/android_0_days/
[26] https://www.theregister.com/2025/11/14/fortinet_active_exploit_cve_2025_64446/
[27] https://www.theregister.com/2025/11/28/posthog_shaihulud/
[28] https://www.theregister.com/2025/11/05/googles_32b_wiz_acquisition_its/
[29] https://blog.cloudflare.com/waf-rules-react-vulnerability/
[30] https://whitepapers.theregister.com/
The React team [2]disclosed the unauthenticated remote code execution (RCE) vulnerability in React Server Components on Wednesday. It's tracked as [3]CVE-2025-55182 and received a maximum 10.0 CVSS severity rating.
This is a big deal because much of the internet is built on React – one estimate suggests 39 percent of cloud environments are vulnerable to this flaw. This issue therefore deserves a prominent place on your to-do list.
[4]
The bug affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
[5]react-server-dom-webpack
[6]react-server-dom-parcel
[7]React-server-dom-turbopack
It also affects the default configuration of several React frameworks and bundlers including [8]next , [9]react-router , [10]waku , [11]@parcel/rsc , [12]@vitejs/plugin-rsc , and [13]rwsdk .
The project's maintainers say upgrading to versions [14]19.0.1 , [15]19.1.2 , and [16]19.2.1 fixes the flaw.
[17]
[18]
"We recommend upgrading immediately," the React team said in a Wednesday security advisory.
"CVE-2025-55182 represents a major risk to users of one of the world's most widely used web application frameworks," Benjamin Harris, founder and CEO of exposure management tools vendor watchTowr, told The Register . "Exploitation requires few prerequisites [and] there should be no doubt that in-the-wild exploitation is imminent as soon as attackers begin analyzing now-public patches."
[19]
Vercel, the creator and primary maintainer of Next.js, assigned its own CVE ( [20]CVE-2025-66478 ) for the flaw, and issued an [21]alert and patch on Wednesday, too.
While we don't have too many details about the vulnerability, we know it abuses a flaw in how React decodes payloads sent to React Server Function endpoints.
"An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server," the security alert warned. "Further details of the vulnerability will be provided after the rollout of the fix is complete."
[22]
Researcher Lachlan Davidson found and reported the flaw to Meta, which created the open source project, on Saturday. Meta worked with the React team to quickly roll out an emergency patch just four days later.
React is very widely used – Meta's Facebook and Instagram, Netflix, Airbnb, Shopify, Hello Fresh, Walmart, and Asana rely on it, as do millions of developers – and many frameworks depend on vulnerable React packages.
This CVE therefore puts much of the internet at risk.
"Wiz data indicates that 39 percent of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182 and/or CVE-2025-66478," the cloud security shop's threat hunters Gili Tikochinski, Merav Bar, and Danielle Aminov [23]said on Wednesday.
[24]Years-old bugs in open source tool left every major cloud open to disruption
[25]Two Android 0-day bugs disclosed and fixed, plus 105 more to patch
[26]Fortinet finally cops to critical make-me-admin bug under active exploitation
[27]PostHog admits Shai-Hulud 2.0 was its biggest ever security bungle
The [28]soon-to-be-Google-owned biz experimented with the flaw and fix, and reported that "exploitation of this vulnerability had high fidelity, with a near 100 percent success rate and can be leveraged to a full remote code execution."
"Due to the high severity and the ease of exploitation, immediate patching is required," the trio added.
At the time of writing, The Register could find no reports of in-the-wild exploitation. However it is safe to assume that criminals are already reverse engineering patches and scanning the internet for exposed, vulnerable instances.
"Due to the widespread use of React and frameworks like Next.js that are built on top of it, this vulnerability is expected to draw significant attention," Stephen Fewer, senior principal researcher at Rapid7, told The Register .
"The chances of technical details and exploit code being made publicly available are high, so exploitation is likely to occur soon," he said. "It is therefore critical to patch this vulnerability immediately."
Cloudflare customers may also wish to dig into the company’s [29]claim that its Web Application Firewall (WAF) protects them from the flaw, if their React application traffic is proxied through the WAF. ®
Get our [30]Tech Resources
[1] http://next.js
[2] https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
[3] https://www.cve.org/CVERecord?id=CVE-2025-55182
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aTDBBnvsz1Yu8dTPhR1w7QAAAIA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.npmjs.com/package/react-server-dom-webpack
[6] https://www.npmjs.com/package/react-server-dom-parcel
[7] https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme
[8] https://www.npmjs.com/package/next
[9] https://www.npmjs.com/package/react-router
[10] https://www.npmjs.com/package/waku
[11] https://www.npmjs.com/package/@parcel/rsc
[12] https://www.npmjs.com/package/@vitejs/plugin-rsc
[13] https://www.npmjs.com/package/rwsdk
[14] https://github.com/facebook/react/releases/tag/v19.0.1
[15] https://github.com/facebook/react/releases/tag/v19.1.2
[16] https://github.com/facebook/react/releases/tag/v19.2.1
[17] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTDBBnvsz1Yu8dTPhR1w7QAAAIA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[18] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTDBBnvsz1Yu8dTPhR1w7QAAAIA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[19] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTDBBnvsz1Yu8dTPhR1w7QAAAIA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[20] https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
[21] https://vercel.com/changelog/cve-2025-55182
[22] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTDBBnvsz1Yu8dTPhR1w7QAAAIA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[23] https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
[24] https://www.theregister.com/2025/11/24/fluent_bit_cves/
[25] https://www.theregister.com/2025/12/02/android_0_days/
[26] https://www.theregister.com/2025/11/14/fortinet_active_exploit_cve_2025_64446/
[27] https://www.theregister.com/2025/11/28/posthog_shaihulud/
[28] https://www.theregister.com/2025/11/05/googles_32b_wiz_acquisition_its/
[29] https://blog.cloudflare.com/waf-rules-react-vulnerability/
[30] https://whitepapers.theregister.com/
captain veg
React, or the web platform. Hmm, tricky. Oh, actually it's not. Just write plain Javascript, CSS and HTML, nothing else required. I really don't get what all these nebulous "frameworks" actually offer other than external dependencies.
-A.
Cut the crud
O'Reg Inalsin
Exactly right. "React" is just a complex and bloated implementation of a generalized dependency graph. I.e., when some event happens only the necessary parts are updated. It would be much better to specify the dependency graph, the look and feel, and the logic interactions, and have a compiler-like generator produce the minimal optimized Web Assembly (WASM) (or JS+CVS+HTML or whatever) to implement it. Cut React/NPM completely out of the picture!
FUD
React is nothing to do with "cloud".