“I often don’t say this, however patch proper freakin’ now,” one researcher wrote. “The React CVE itemizing (CVE-2025-55182) is an ideal 10.”
React variations 19.0.1, 19.1.2, or 19.2.1 include the weak code. Third-party parts recognized to be affected embrace:
- Vite RSC plugin
- Parcel RSC plugin
- React Router RSC preview
- RedwoodSDK
- Waku
- Subsequent.js
In line with Wiz and fellow safety agency Aikido, the vulnerability, tracked as CVE-2025-55182, resides in Flight, a protocol discovered within the React Server Parts. Subsequent.js has assigned the designation CVE-2025-66478 to trace the vulnerability in its package deal.
The vulnerability stems from unsafe deserialization, the coding strategy of changing strings, byte streams, and different “serialized” codecs into objects or information constructions in code. Hackers can exploit the insecure deserialization utilizing payloads that execute malicious code on the server. Patched React variations embrace stricter validation and hardened deserialization habits.
“When a server receives a specifically crafted, malformed payload, it fails to validate the construction appropriately,” Wiz defined. “This permits attacker-controlled information to affect server-side execution logic, ensuing within the execution of privileged JavaScript code.”
The corporate added:
In our experimentation, exploitation of this vulnerability had excessive constancy, with a close to 100% success charge and might be leveraged to a full distant code execution. The assault vector is unauthenticated and distant, requiring solely a specifically crafted HTTP request to the goal server. It impacts the default configuration of standard frameworks.
Each firms are advising admins and builders to improve React and any dependencies that depend on it. Customers of any of the Distant-enabled frameworks and plugins talked about above ought to test with the maintainers for steering. Aikido additionally suggests admins and builders scan their codebases and repositories for any use of React utilizing this hyperlink.
