Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
CVE-2025-55182, a critical RCE vulnerability in React Server Components, is ringing alarm bells among cyber experts.
The Australian Signals Directorate’s Australian Cyber Security Centre has issued an Act Now critical alert regarding a vulnerability in a popular open source software library, React.
CVE-2025-55182 was disclosed by React’s developers overnight on December 3, and has been a cause of some concern since then.
“ASD’s ACSC is aware of a critical vulnerability in React Server Components, which is used extensively in modern web applications,” the ASD said in its alert.
Vulnerability has a CVSS score of 10, making it about as critical as vulnerabilities can get. If exploited, it could allow an attacker to achieve unauthenticated remote code execution in several vulnerable packages, in versions 19.0, 19.1.0, 19.1.1, and 19.2.0:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
According to the React team, a fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1, and they recommend upgrading immediately.
Threat intelligence platform VulnCheck has some more details on the vulnerability and how it works.
“When a server receives a specially crafted React Flight payload, the internal deserialization logic performs insufficient validation of its structure. By exploiting this weakness, an attacker can cause React to misinterpret attacker-controlled values as internal references or objects. This permits unintended server-side behaviors and can lead to the execution of server-privileged code paths within the React Server Components runtime,” VulnCheck said in a December 3 blog post.
“Next.js includes a general mechanism for handling React Server Actions, which relies on React’s server-side Flight deserializer. Preliminary code analysis suggests that this deserialization logic may be reachable by default, without requiring the presence of user-defined Server Actions or any route-specific discovery.”
Sounds bad? watchTowr’s CEO, Benjamin Harris, agrees.
"Today’s latest shenanigans – CVE-2025-55182, a CVSS 10 vulnerability in React – represents a major risk to users of one of the world’s most widely used web application frameworks,” Harris told Cyber Daily.
“While details remain limited, and exploitation requires few prerequisites, there should be no doubt that in-the-wild exploitation is imminent as soon as attackers begin analysing now-public patches. If you’ve got React served apps anywhere in your stack, you must move now: apply patches immediately, implement WAF mitigations, and actively hunt for any signs of exposure."
You can learn more about CVE-2025-55182 in React’s disclosure post.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
