The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has issued an “act now” critical alert regarding a vulnerability in a popular open source software library, React.
CVE-2025-55182 was disclosed by React’s developers overnight on 3 December and has been a cause of some concern since then.
“ASD’s ACSC is aware of a critical vulnerability in React Server Components, which is used extensively in modern web applications,” the ASD said in its alert.
Vulnerability has a CVSS score of 10, making it about as critical as vulnerabilities can get. If exploited, it could allow an attacker to achieve unauthenticated remote code execution in several vulnerable packages, in versions 19.0, 19.1.0, 19.1.1, and 19.2.0:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
According to the React team, a fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1, and they recommend upgrading immediately.
Threat intelligence platform VulnCheck has some more details on the vulnerability and how it works.
“When a server receives a specially crafted React Flight payload, the internal deserialisation logic performs insufficient validation of its structure. By exploiting this weakness, an attacker can cause React to misinterpret attacker-controlled values as internal references or objects. This permits unintended server-side behaviours and can lead to the execution of server-privileged code paths within the React Server Components runtime,” VulnCheck said in a 3 December blog post.
“Next.js includes a general mechanism for handling React Server Actions, which relies on React’s server-side Flight deserialiser. Preliminary code analysis suggests that this deserialisation logic may be reachable by default, without requiring the presence of user-defined Server Actions or any route-specific discovery.”
Sounds bad? watchTowr’s CEO, Benjamin Harris, agrees.
“Today’s latest shenanigans – CVE-2025-55182, a CVSS 10 vulnerability in React – represents a major risk to users of one of the world’s most widely used web application frameworks,” Harris told Cyber Daily.
“While details remain limited, and exploitation requires few prerequisites, there should be no doubt that in-the-wild exploitation is imminent as soon as attackers begin analysing now-public patches. If you’ve got React served apps anywhere in your stack, you must move now: apply patches immediately, implement WAF mitigations, and actively hunt for any signs of exposure.”
You can learn more about CVE-2025-55182 in React’s disclosure post.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.